BsidesLV 2024 - Ground Floor - Tuesday
Show transcript [en]
a [Applause] [Music] [Applause] [Music] [Applause] [Music] I'm just TR I'm just trying to give you something [Music] I'm just try to give you something I do you I'm just TR to give you something [Music] w [Music] [Applause] [Music] [Music]
[Music] [Music] I'm just something I do I'm just TR to something [Music] I'm just I do I'm just trying to give you something [Music] w
[Music]
o [Music] [Music]
[Music] he
[Music]
[Music] [Applause]
[Music]
[Music] [Music]
[Applause]
[Music]
a
[Music]
[Music]
[Music]
a [Music] a [Music] n [Music]
[Music] [Music] n [Music] [Applause] [Music]
[Music] oh [Music]
[Music]
[Music] [Music]
[Music] [Applause] [Music]
[Music]
[Music] a
[Music]
[Applause] [Music] hey hey hey [Music] [Applause] [Music] [Applause] [Music] he [Music] a [Music]
[Music]
[Music]
[Music] TR oh [Music] hey hey hey [Applause] [Music]
hey hey hey hey hey hey [Music]
[Music]
[Music] [Applause] [Music]
[Music] [Applause] [Music]
[Music] [Applause] [Music]
he [Music] [Music] [Music]
[Music]
[Music] [Applause] [Music]
[Music] w a [Music]
oh
[Music]
[Music]
h a [Music] [Applause] [Music] [Applause] [Music] h
[Music] I'm just trying to give you [Music] something I'm just tring to give you [Music] something I'm just I'm just to give you something [Music] w
[Music]
[Music] [Music] I'm just Dr smoking to you I'm just TR to give you [Music] something I'm just try to give you [Music] something I'm just trying to give you something [Music] w w
[Music]
[Music] [Music]
[Music]
[Music]
[Music] be l [Applause]
[Music]
[Music] [Music]
[Applause]
[Music] a [Music] n [Music] oh [Music]
[Music] [Music]
[Music]
[Music]
[Music]
[Music]
[Music] [Music]
[Music] [Applause] [Music]
[Music]
[Music]
[Music]
[Music] [Applause] [Music] hey he he [Music]
[Applause] [Music] he [Music] a [Music]
[Music]
[Music]
[Music]
e track [Music]
I I would like that I don't know if my wife would like that
I
basically like like search like
know I don't know
morning bides ground floor attendees hello hello uh let's kick this off uh first talk of the day after the keynote um so uh I'd like to welcome everyone uh hopefully you're here for forther gone floor track detection engineering demystified before we begin a couple quick important announcements first I'd like to thank our sponsors especially Diamond sponsors prism cloud and vanta gold sponsors Adobe Drop Zone AI it's their support as well as the volunteers donors and others that make this conference possible uh two more quick observations first of all we are streaming live it's already up on YouTube uh so please turn off your cell phones if you haven't already uh and secondly if you have questions at the
end of the talk we'll have a little bit of time uh raise your hand and I will bring this mic so the internet can hear you uh please welcome David [Applause] all right yeah thanks everyone uh thanks for coming this is first time at besid Las Vegas so thanks to the organizers for having me this talk is for anyone who's curious about the world of detection engineering and learning a process and some techniques for building detections that are focused on identifying attack of Behavior Uh specifically we're going to be looking at building detections for GitHub today but um my goal is to share some techniques you can use to improve your detection coverage for all platforms and
systems that you monitor right not just GitHub uh yeah this is on the ground floor track so I'm going to try and make it um you know so that people beginner or intermediate knowledge can follow along so yeah here's a little bit about me before we get started uh I've been in it insecurity for over 18 years now during the last 8 years or so I've kind of gone back and forth between being a defensive practitioner um you know defending a single organization and working on the vendor side doing detection engineering threat research building out content for Sims and edrs uh currently at Google um it's kind of a different role for me it's like a blue
team Advocate kind of role um working on Google SEC Ops and yeah enjoy doing stuff like this sharing research and knowledge um and when I'm not working you can find me enjoying the outdoors in Colorado when it's not on fire um brief overview of what I'll be covering today so for those of you that are new to detection engineering I'll start off by explaining you know what it is and some of its benefits for a company that has that capability then we'll look at some threat Intel that provides details on an attack group's tactics for stealing data from GitHub environments and then we'll move on to develop a detection that identifies a specific behavior and to build that
detection we're going to identify data sources uh simulate the behavior we want to detect and then develop our detection logic and then we will look at um the concept of monitoring your your data pipeline right um and testing your detections stuff that is really important but is often neglected by security teams and it comes back to to bite them so I I'll walk through a couple of example techniques for doing that and then I'll leave you with some key takeaways and some links to some resources to learn more about detection engineering if you're interested so just for the benefit of folks who are new to this right um just want to take a couple of minutes to
review what detection engineering is and some benefits so let's do that so I like to think of it as a specialization within security focused on implementing detective security controls um the goal is to detect and respond to potential security incidents before they can cause our company significant damage uh there's a focus on continuous Improvement so a team of detection Engineers uh have this process for Contin viously developing testing and improving your detections to stay ahead of threats and our detections complement our preventative security controls either acting as a safety ner if that prevention fails or it lets us Implement controls where you know prevention is impossible or impractical to implement uh there's an emphasis on
detecting attack of behavior versus indicators of compromise um I'll F I'll talk more about that later but the idea is you know um our detections have a longer shelf life if they're Behavior based and yeah this term's I think been appearing more frequently during the last three to four years um it's now I think accepted as its own specialization within security uh plenty of job postings on LinkedIn that either have you know detection engineering a job title or within the job description and just to take a second actually if you're uh my friend Wade pointed this out the other day when he went through a dry on of this with me um you don't have to be you know your title
doesn't have to be detection engineer to do Det detection engineering you could be a sock analyst or part of a you know detection and response team that could just be part of your job that you're developing these detections uh couple of slides on the benefits for doing this right if you're you're a company that has this capability uh it reduces risk so by detecting that malicious activity early on before an attacker can achieve their goals you've got a chance to respond before you know a data breach or A disruption to your business operations occurs and causes significant damage uh this canot you know save a significant amount of money if you you know catch threats early on before they
cause a bigger problem for you but can also save lives right depending on the industry you work in so this study by this University at the top right um ransomware attacks are being carried out against hospitals they found that mortality rates increased by 20% so we're not writing detections for fun right by being good at security depending on the industry working you can help um save human lives and then next by developing these detections that generate actionable alerts the security team can reduce the time you spend um working on security incidents so this is an opportunity you know if you're responding to incident quickly you can build and maintain trust with your customers uh people are
definitely paying attention now when you're you know you go through a security incident they want to see that you've got your act together when they bank with you or you know store their personal information with you and then final slide on the the benefits before we move on to look at this uh this piece of threat Intel uh so having this continuous process for identifying and integrating new data sources or logs can increase your visibility into what's happening in your environment over time uh detection Engineers are continuously kind of um assessing your detection coverage as you know new threats and attack tactics emerge and they're constantly kind of developing and refining their detections and then finally depending on
the industry you work in you might have an auditor that comes in and asks for evidence that you've got certain detections right um so if you work in the financial services industry you might have an A to come in and ask if you've got detections related to Swift all right so we're going to move on to look at a practical example of how to transform some threat intelligence into a detection so let's look at this um so while I was working at another company uh I was on the phone to a security engineer who worked in the same industry as I did uh they said they shared some Intel on a threat group tactics for stealing data from GitHub
Enterprise environments so let's take a look at the details they shared um among several other things right and you you might recognize this this threat group some of you uh this is what the attackers were up to at the time so uh they started off by compromising a software Engineers OCTA user account uh via SM Mission campaign they L users to log into a fake uh OCTA single sign on Portal and then they stole the users credentials so their username password uh one time one time password token as well then they used the stolen credentials to log into the targets uh legitimate OCTA portal they were using VPN services to mask their IP address and geolocation
information and then they log into the target organization's GitHub Enterprise account via the OCTA dashboard tile and then they create a uh personal access token under the compromised users account and we'll talk more about what that means in a moment and then they use this tool um this guy said they using this toour called Gorge to clone all of the code repos that that user had access to so needless to say right after hearing this I became what I became interested in what logging monitoring and detection opportunities existed for GitHub right um i' never looked at GitHub logs before um I didn't know what kind of auditing was available so we're going to we're going to look at some of
that as well so for the remainder of this presentation we're going to use this threat in until to create a detection that alerts if a specific behavior happens in our environment right that we're defending so just taking a minute to consider why attackers Target GitHub and why as Defenders we should care about monitoring defending our GitHub environment some code repos might contain intellectual property right um after stealing that data from an organization an attacker might um try and sell that or use it in extortion attempts against you uh they can examine your source code for vulnerabilities which you know they could either sell or exploit and followup attacks uh if they're able to harvest secrets from your GitHub environment
they can use that to um further infiltrate your environment right perhaps they can um establish persistent in one of your Cloud environments and then finally if they're targeting a company that develops software they can look to um you know inject malicious code into that company's C ICD Pipeline and deliver malware or back doors to unsuspecting customers which is we've seen that before right um so people aren't familiar with GitHub Enterprise uh here's a brief overview of some of the key concepts for this platform so GitHub Enterprise is this commercial offering that provides companies with the tools and features they need for collaborative software development so we're going to look at the GitHub Enterprise cloud-based platform and imagine that your
organization has a subscription to that offering an Enterprise can contain one or more organizations and an organization essentially just lets you group certain projects together for people to collaborate on uh you might have a get up Organization for each of your company's core product offerings for example and then these organizations contain uh repositories or repos which is where the code is stored and it's worked on for each project and then GitHub users are invited to your GitHub organizations where they can collaborate and projects and then I mentioned this thing about uh personal access token right um in this threat and until we received a personal access token just acts like an alternative password for your GitHub
account right so um you can create a token under your account uh Grant a specific permissions to interact with interact with github's API and um yeah these tokens need to be kept confidential and people should assign the minimum necessary permissions to to limit damage right if they're compromised so one of the first things I did when I heard about that tool um that that guy mentioned right was to try and find it um the tools on GitHub ironically uh it lets you clone an organization's or an organization or users's repositories into a single directory uh it works with GitHub gitlab and bit bucket um found it funny like the list of use cases includes creating backups so the attack
is creating involuntary backups for people um so point there are you know a few questions to ask ourselves as detection Engineers so should we review the code for the toour and try to look for um you know detection opportunities there uh who's the developer of this tool do we trust them uh what if the tool contains malicious code right to infect unsuspecting users uh we definitely wouldn't want to download this and run it in our production environment and interact with our our company's code in GitHub uh so yeah do we want to look for opportunities to write signatures to the detect the tool or do we want to build detections that detect the underlying Behavior right so in this presentation
we're going to build uh behavior-based detection so now we've got an understanding of the attacker's tactics and the tool they're using uh let's look at the differences between an indicator and a behavior-based detection if you're not familiar with this so we could analyze the tool and look for opportunities to fingerprint it and write signatures um that detects this use in our environment so the tool might have a specific user agent string that it uses um but with this particular type of detection the attacker could just modify their code right and have it use a different user agent string maybe one that blends in with other traffic and evades our signature um also the attacker might try
and use a different tool then our indicator detections might be broken right and they might miss that behavior um alternatively which is what we're going to do we're going to focus on detecting the underlying actions that need to happen to detect the activ so the idea here is that it's usually harder and more expensive for attackers to change their behavior instead of just swapping out their tools or malware or infrastructure and then with this type of detection we're monitoring for a sequence or a pattern of behaviors which we'll look at next and just before I move on um I just want to knowe you know with an indicator based detection if you're able to uh
deploy an accurate signature that detects you know malware or an active intrusion then that's a in and we definitely shouldn't discount like the value of of indicator based detections as well all right so let's move on to develop a new detection to alert us if um that specific behavior occurs in our environment so this is a very basic design right for the detection we're going to we're going to build to identify a specific behavior um and we're going to we're going to expand upon this as we go through so uh we're going to detect these following Atomic behaviors in sequence and think of these Atomic behaviors as your building blocks for your detection logic so by combining
multiple Atomic behaviors you can create more complex detection rules that alert on these patterns or sequences of activity so the first behavior is access being or permissions being granted to a personal access token uh the second behavior is that same user account being used to download more than five GitHub code repost so we're going to yeah build this simple detection expand upon it from there um there are opportunities to detect other behaviors were that were in that threat Intel received but we're going to focus on this single detection use case um given the amount of time we have so now we've got that basic design for that detection we want to build um we're going to look at what data sources
are available to us as detection Engineers so a detection needs to be fed relevant data or events otherwise you know it will never generate an alert to tell us that the behavior happened in our environment uh so in this example we can see giab Enterprises got this audit log that records events as they happen in our environment uh it tells us that those logs are retained for 180 days uh git events are only held for seven days right before they roll off um and git events involve people cloning code repost uh like the attack is doing and people pushing code to repost so we're definitely interested in those events for our detection use case today and yeah in my opinion you know a
decent audit log when you're looking at the stuff includes um details on the the who what when and where for the event the why for an event is usually implied or you need to look for another data point to tell you why the user carried out that action so in this example you know why did this user disable um this setting in our GitHub organization so we need to either speak to the user or go out and find you know maybe a ticket or another data point that tells us why that happened so um yeah in this event we can see the who right um who carried out the action there's a unique ID for
the user that initiated that action uh what happened there's a specific action or event that took place and when the event happened we've got this precise time stamp so the the wear is missing from this event which is um which is a location right from where that action originated and let's take a look at why that's missing so so a couple of noteworthy things to call out regarding github's audit log so by default The Source IP address is not going to be in your events um I think some some privacy thing right you have to go in there and enable that uh we definitely want to want to see that uh the second thing to call out is that by
default API request events are not going to be streamed to our Sim um we're going to be developing our detection in a Sim right from a centralized location so we're going to enable that option too um this going to let us see you know attackers or regular users cloning the contents of GitHub repos via the the API so these are the reason bring us up right these are the types of nuances we need to understand when we're looking at new data sources for detection so by reading github's documentation um and exploring those settings for the audit log we can configure it to be used for our detection use case and just to point out right um not just for GitHub but if
you're working on a security team building detections or you care about logging for investigations or hunts or whatever um definitely make friends with the people who administer and own these platforms right they might not always have um Security in mind and know to like turn these settings on to make the log valuable to you as Defenders so definitely build those relationships um and get your get your data in a good state so next step is going to be to configure GitHub to stream its audit log to our SIM for ingestion um our Sim is going to normalize these events into a common schema and index them so we can use them to build our detection so in
this example we're just streaming those audit logs to a Google Cloud Storage bucket and then our Sim is going to collect the logs from that storage bucket and injust them so the next step is configuring our Sim to ingest um the GitHub AIT logs from that cloud storage bucket uh in this example I'm ingesting the logs into Google SEC Ops so this is um you know Community event um my goal is to keep things as vendor neutrals possible so and and share some practical techniques for detection engineering so you can apply these techniques us in whatever tools you use so at this point we've configured our GitHub audit logs um those GitHub AIT log settings and we're ingesting the
logs into our Sim so the logs are being normalized and indexed and they're available for us to search um the next logical step is to simulate that behavior we want to detect right so we've got some events um that we can use to develop our detection logic there's a party going on out there one a door um okay yeah so uh yeah if you skip this step right can feel like you're you're shooting in the dark um when you're write any detection you don't have any events to test it against so that's what we're doing here so um yeah in my GitHub Enterprise environment um I created a GitHub personal access token then I granted that token access to six GitHub
repos in my environment and then I use that token to clone six GitHub six repos so after executing that test scenario I went back to my cm and explored those events to understand you know the various field names and values that were logged so you can see at the bottom in the middle we've got the personal access token um access being granted to that and then the get clone events above that and then on the right you can see these events were carried out using a personal access token so now we've simulated that behavior we can develop the first version of our detection rule so this example is going to be written in the y
l language um you can adapt this to work with the technology your company uses right um so in the event section of this rule this is going to specify the field names and values we want our detection to match on so onlines 20 and 21 here we're searching for events where um access is granted to a g personal access token and then online's 24 to 27 we're searching for events where a private GitHub repo was cloned using a personal access token on line 28 we're just creating this placeholder variable um named GitHub repo name this is just going to store the name of the repo that was cloned and then line 31 we're joining that GitHub personal access token event
to the GitHub clone event based on the user ID right because we want to join those by ID to to see which user is carrying out the activity and then on line 34 we're creating another placeholder event uh this will become clear in a minute just to hold the user ID that carried out the actions and then finally on line 37 we're searching for events where that personal access token event happened before um the repo clone events so reviewing the other sections of that rule uh the RL rule in the match section we're telling the ru to return results if the events we specified are found for a single user within a 30-minute time window in the outcome
section we're storing the count of distinct private repos that were cloned and then finally in this condition section we're specifying that the raw should trigger if a match is found for those events and more than five GitHub repos were cloned so now we've written the first version of our detection rule we should test it um to do that we could either run our detection logic over the events we generated earlier or um simulate the attack of behavior again in this example we can see a user created a personal access token and then they cloned six distinct private GitHub repos so our initial detection logic works and then let's assume that after testing that new detection we handed it
over to our sock analyst to respond to alerts um and then after a week or so they tell us you know it's it's generating forc positives uh this is taking up their precious time so we need to fix that so let's say hypothetically um in this organization when a software engineer gets a new laptop it's common for them to create a new GitHub personal access token and then clone all the private code repos that they work on so we're going to look at an option for filtering those Force positives and increasing the detections Precision um we not have time to do a deep dive on precision and recall and those classification metrics that can be used
to measure the performance of your detections um but if you're interested in that you should definitely check out the the link on this slide so if you recall our threat Intel said that the attackers are using VPN services to hide their IP addresses and geolocation um one way for us to filter these Force positives is going to be to to um modify our detection logic to generate an alert if the activity generate comes from a VPN service right so um when I spoke about Precision it talks about considerations when you know you're filtering false positives but you might in turn introduce false negatives or mis behaviors so in this example let's say that our users should only be
using our company approved VPN right not mulad VPN or nordvpn um if we move forward with this tuning option we could create another detection that looks for activity from non-company approved vpns or you know um looking for installation of those VPN clients on endpoints so yeah to to tune this detection I'm going to use a third party data feed from spur um if you're not familiar with them they provide um data feeds on VPN Services right residential proxies and and Bots um and the value there is that the IP addresses for these Services churn quite quickly so um you know an IP address that's for nordvpn might not be the for the same service might not be be being
used for that next week um so having these kind of up-to-date feeds is useful for correlation during detection and investigation or enriching
events so in the highlighted portion of this screenshot we're modifying our detection logic to match on the GitHub activity when it comes from an IP address that spur attributes to a VP Service uh in this example we're joining the IP address from the GitHub events that we enabled in our loging right um with an IP address in Spurs data feed if it exists in their data and this is an example of how we can use third party data sources to adjust the Precision of the detection all right so when you're developing and tuning in your detections it's crucial to test them after any modifications are made so in this example uh I went ahead and simulated
that behavior again in my lab environment and validated that the detection generated an alert so on the left you can see uh the detection matched on the same GitHub events as earlier and then on the right you can see spur is telling us that this IP address um is associated with the mulad VPN service and yeah if you're not familiar with that um they accept cash and Bitcoin as payment methods it's popular for you know people wanting to do certain things and attempting to remain anonymous so definitely weird right if you see that in a lot of environments um slide 29 and I haven't mentioned uh gen yet you almost almost got away with it um one of the important
steps When developing a new detection is going to be to document it right um this ensures that the goals and the design of the detection is understood and the team knows how to triage and respond to alerts um we could have done this earlier right arguably but we're go we're going to go ahead and do that now um a popular method for documenting your detections is to use palen's ads format alerting and detection strategy um and Wade Wells who I think is in here he's a a lead detection engineer he's built this AI assistant that um helps us document our detections right so in this example um we're we're asking the assistant to document the new
GitHub detection we provided some details on what Behavior we're trying to identify and the data sources the detection relies on so the assistant responds right with the documentation for the detection in ads format uh it documents the goal for the detection the mitro attack technique mapping was incorrect so we'll have to fix that but um it includes yeah technical explanation of how it works any blind spots um how to validate and respond to alerts and and so on so yeah it's not the output's not perfect right as with um a lot of these llm models at the moment but it saves us a lot of typing and can help us document out speed up our workflow as detection
Engineers so uh yeah encourage you to check that out if you think it might be useful all right so yeah let's move on to look at why we should monitor this data Pipeline with built and a technique for doing that so yeah this is something that's um often neglected or not thought about and it comes back to to to bite you as a Defender uh so simple diagram of the data pipeline we've built so far um as you can imagine this will you know get more complex as we integrate additional data sources with our Sim um it's going to be important for us to Monitor and test the various components in this pipeline as our investigation
and detection capabilities rely on the quality of our data so on the left we've got um GitHub audit logs and those spur data feeds I mentioned in the middle we've got um a couple of services running in Google Cloud right um that helping us ship this data from the left to our Sim on the right and when data is shipped to our Sim is typically normalized into a common schema then it's indexed before those events or records are searchable um those events might be enriched uh either before they go into SIM or after um maybe with you know metadata about an employee like a job title or department or geolocation information for IP addresses and then
those events are available to the detection engine to to run our rules over those events and generate an alert if if a match is found so all of these components and Connections in our data pipeline canil which is uh why it's important to be able to monitor for issues and you know jump in quickly and fix those so uh as an example of a failure right um GitHub might stop shipping its logs to the storage bucket but our Sim is checking the storage bucket every 5 minutes for new logs it doesn't find anything um you know it doesn't see an error uh this is like a silent failure right and then when something bad happens in your
GitHub environment you won't see it or you need an investigation or you start an investigation your logs on there for you um so let's look at how to to do that um so some reasons to monitor your data pipeline so our environments tend to drift over time um when you configure a data source and write some shiny new detections everything might be working fine today but that might not be the case in a week or a month's time so infrastructure and Technologies come and go you know system configuration changes um software is updated all those things can impact that data pipeline that we looked at minute ago uh monitored systems might stop logging or somewhere
along the line their logs stop making it to our Sim logging spikes can cost a lot of money if you don't jump in identify and jump in and fix those quickly um The Sim might have issues paing events from the log is it received so maybe the vendor um maybe GitHub changes logging schema and our detection relies on a specific field name that's changed and how detections fail and then yeah latency issues as well between certain components can result in us you know um Behavior getting missed or logs not being available when we need them and yeah a lot of these things can result in you know missed behaviors false negatives um yeah missed opportunities to detect and respond to
threats early on uh anyone experienced any of these issues affecting the detections yeah okay sucks um all right yeah so if just a quick call out here if you're interested in learning more about data pipelines and how to monitor and improve your data quality highly recommend this talk by Josh liberti all right so an example technique right to get you thinking about monitoring this stuff um techniques to monitor some components of your data pipeline so we need to know when there are issues with that pipeline so we can jump in and fix it before our detections are impact impacted um some people like to create detections that alert them when you know a system goes quiet they stop seeing
logs in their Sim that can be fine with like a noisy platform like OCTA or Google workspace but some systems are just quieter than others right just because it doesn't log a thousand events an hour doesn't mean there's a problem so um what I've seen is those detections can create false positives that just waste more of our time another option is to think about implementing these health checks for the systems and data sources that are important to us um a health check can carry out a small basic operation a read operation against the monitored system and then validate that those events are in your sim and they're indexed and searchable so these automated jobs you can just run them on
a schedule in your automation tool or C ICD pipeline whatever you use and they can alert us to any issues that occur so don't have to be anything complicated uh let's look at an example so here's an example of a health check that we can use to uh monitor for issues with our GitHub audit logs being ingested into our Sim so I've just created a couple of GitHub actions for this example uh GitHub actions jobs and you can put these in whatever automation tool you use but yeah this first job is scheduled to run daily you could run it more often if you like uh this example is just making an API called to GitHub just to
read the information for one of my GitHub organizations uh it's just a simple read operation we're not making any changes and at this point if authentication or the API call fails um an error will be raised and we can jump in to take a look and investigate at that so this first job passed uh the second job runs after the first one it's searching for the events that we expect to be generated and indexed in our Sim based on that first health check job so we're running a search query via the Sims API um we can see in the output of this job we're searching for yeah those those values specific events that we expect to be there um one event was
returned in this case and our job completed successfully right so um if that failed um we could jump in and fix that issue before it impacts our detections or other security operations so it's not a comprehensive solution for monitoring all components of your data pipeline right we didn't talk about latency um between log events being generated and when they're searchable on your sim but hopefully that you know gets you thinking about monitoring these things um you can get started with some some minimal code and it helps you you know not get blindsided by missing attacker Behavior or red team activity finding out that you don't have any logs to support your investigation it it sucks right when you're under
pressure to figure stuff out um let's look at the importance of testing our detections on a regular basis and an example of how to do that so this is another step that's often skipped by security teams it comes back to bite you again when your detections are broken you don't know about it um by testing our detections on a regular basis we get to say with confidence that our detection and alerting capabilities are working properly so a few common issues that impact detections um it might sound familiar to you so a system might stop logging events or uh the events that are being shipped to the Sim might not be passed properly data sources might be
misconfigured right we looked out GitHub um audit log if those two settings were turned off we wouldn't see IP addresses or API calls our detection would be running right but it would never fire and pesky vendors right changing their logging scheme is on us um spoke about this earlier if a field name changes our detection might break and yeah if you're running detections in if you run your rules in detection engines that are never going to fire we're we're wasting resources right so uh yeah by implementing automated tests we can be alerted to issues and fix them before we miss misbehavior so looking at an example of how to test that new GitHub detection we
created earlier uh we want to test the detection regular maybe once a day and be alerted if the detection doesn't generate an alert in a perfect world right where we would um create a test that simulates that attack of behavior end to end and validate that an alert was generated in this case right um this isn't realistic for a few reasons uh to my knowledge we can't create a GitHub personal access token via their API and configure with permissions um we probably don't want to do that anyway right we we've got a test maybe it fails we don't want to leave these tokens out there dangling with permissions assigned um it's just not real world uh we probably also don't
want to develop a test that comes from you know mulad VPN service and interacts with our data uh just for the sake of testing this one detection and yeah finally developing tests can often take longer than right in the detection itself right so is it worth the effort to develop an endtoend test that does all this so probably not um let's look at an alternative a practical technique is to take the events we generated earlier and then replay them to our SIM for ingestion so to do this we've got another couple of GitHub actions jobs that run on a schedule uh the first job replays those historical GitHub log events into the SIM for ingestion um
we're modifying the time stamps so that it's today's date right um because generally our detections are only looking back so far in our logs when they're running in an engine uh and the events are also labeled to make it clear their related to testing activity so in this example um we loaded up seven events from this Json file we shipped them to the log for ingestion ship them to the SIM for ingestion and then our second job is going to validate that the detection generated an alert so in this example output this um second job gener checked for any alerts generated by our detection and zero alerts were found and an error occurred so this is an example
of the job failing right uh and this alert will come to us so we can jump in and fix whatever it is right logging maybe there's an issue with a detection engine or something something else entirely here's an example of what it looks like when that second job passes or completes successfully so the job found one alert that was generated by our detection it validated the alert was generated by testing activity it looked at this label log replay equals true um if you have alerts opened up in your sim or your case management system you can look for that flag as well and just close them out right so um analysts don't need to spend their time looking
at them and yeah this approach can be applied to other detections you could start small and um test one detection per log Source right that you care about and that you're ingesting into your sim and expand it from there and a risk that a risk with this example right is that um you probably thought of this as I was explaining it GitHub could change its logging schema with validating our detection against older data right um this is far far better than having no tests at all because we're testing the components of our CM detection engine that kind of thing ingestion but you could commit to refreshing your test data every few months right or um commit
to testing the detection manually end to end on some agreed upon schedule all right so that's um we're at the end here let's summarize or leave you with a couple of key takeaways and then some links to resources you might find useful so if you're new to detection engineering hopefully you've seen that this is a proactive capability focused on identifying attack of Behavior Uh your security vendors might provide you with outof thebox detections right that are quite generalized they don't want to blow up their customer base with Force positives um no one knows your environment better than you do right so you can start diving into analyzing attack of tactics developing custom detections that are accurate
right and you can detect malicious activity before it causes harm to your business uh we spoke about the importance of monitoring your data Pipeline and testing your detections so um this lets us um you know find issues before we miss any attacker Behavior or find out that our logs are not there when we need them and yeah if you're not doing any of that kind of monitoring and testing um just challenge you to start thinking about how you can Implement some of that and and get started with some some minimal code and Automation and then finally we didn't speak we I didn't speak much about um you know the skills and experiences required on a detection engineering team
but um I think it's important for a team to have this diverse skill set right to build the best detections I haven't met a 10x detection engineer yet um it's not realistic to expect that one person can bring everything to the table right so something to to bear in mind if you're you're building out a team and recruiting and then finally uh links to some useful resources uh I wrote a blog post recently about getting started with monitoring the detection for GitHub it includes 26 free rules to help you get started uh my colleague John Stoner gave a presentation recently about strategies for testing and validating detections uh Wade's AI assistant for document and detections is here uh if you're
interested in a different perspective or a different um a deep dive on a different detection engineering workflow Dan Lucio's got his blog post if you have a training budget um Spectre Ops detection engineering course is awesome you should check that out and then finally Megan Rod's book um gives you again intro into the world of detection engineering with practical examples that's it thanks for [Applause] coming any questions um do you have any recommendations on tools that smaller organizations could use to impl some of this yeah um anything specific specific like a Sim or the testing part or mostly the the Sim aspect the Sim aspect yeah I would um you know trying to be careful I work
for a vendor that offers a commercial offering um just Google free or Community editions of sim and um you'll see some popular Solutions out there right that that offer a commercial solution if you get to the stage where you need to pay for support and I don't know maybe uh more login gestion like capacity that kind of thing so yeah just Google that or um we can talk in the hallway after right anyone
else sorry buddy um sorry about that um as a factor of uh age of a security program so by years um I'm kind of curious um like what is your expected time to turn out detection so like a I'm kind of working on the assumption that a security program in its first year is going to be a lot slower to turn out a detection than a security pro program in its 10th year um and just kind of from your experience um what's a good goal to shoot for based on that yeah it's a it's a tough one um it can vary depending on the complexity of the the attack of behavior you want to identify um I don't know I'm trying to
think of a a recent example uh so if you add I don't know OCTA session cookie theft um as like tactic of the month right it's the hotness all the companies are getting breached um you can quickly either simulate that behavior using um using open source tools right or if it's a popular technique in the industry other people are churning out detections so you could you could get something going probably in like an hour or two in that case um I think it's yeah more the you know tuning for Force positives um the testing can take a long time but like yeah what do you think Wade like just an emerging threat and then getting a
detection out quickly like I think it depends on the organization right if you're a huge organization one of the struggles is actually knowing if you already have a detection for it if you I think you said like a new organization like like a year old I would say it's almost easier because you but the harder part is the harder part is actually like passing the knowledge of what the detection is uh and like building and testing it like you said writing the query is the easy part I think everything else after that is the hard part yeah and figuring out if you actually have the data available to write your detection if you actually have the logs if the logs are coming in
from the right spot if they're set up correctly with the configuration like you said yeah and then there could be red tape in your organization to um get those logs ingested and that kind of thing so yeah if you've got the logs you can maybe get something a prototype of a roll out in in an hour or two yeah long answer well thanks so much David yeah no worries thanks [Applause] everyone thanks Eric [Music] [Applause] [Music] hey hey hey hey hey [Applause] [Music]
[Music]
[Music] [Applause] [Music]
[Music] [Applause] [Music]
[Music] [Applause] [Music]
[Music] [Music] [Music]
[Music]
[Music] [Applause] [Music] he
[Music]
[Music]
he
[Music] h
[Music]
[Music] w now [Music] [Applause] [Music] [Applause] [Music] [Applause] [Music] I'm [Music] just I'm just TR to give you something [Music] I'm just tring give something I do I'm just tring give something [Music] w [Music]
[Music]
[Music] [Music] I'm just tring to I do you I'm just TR to [Music] something I'm just TR to [Music] something I'm just trying to give you something [Music] w
[Music]
[Music] [Music]
[Music] a
[Music]
[Music] oh [Applause]
[Music]
[Music] [Music]
[Applause]
oh
[Music]
[Music] a [Music]
good morning uh welcome back to ground floor besides Las Vegas 2024 uh this talk is adversaries also lift and shift before we get started a few quick announcements uh first of all I'd like to thank our sponsors especially Diamond sponsors prism cloud and vanta gold sponsors Adobe and project circuit breaker it's their support as well as other donors and volunteers that make this event possible uh secondly cell phones we are streaming live please turn them to silent and third if you have questions at the end of the talk please raise your hand and I can bring this mic over so everyone can hear you with that please welcome a and cin Sherman thank [Applause] you my name is AD inov I have experience
of 12 Years in cyber security before moving moving to cyber security I worked at software engineering for seven years hi my name is Roy Sherman I'm the field CTO for mitiga uh uh I was doing offensive security for the last decade and now I move to defensive I have a bachelor's degree in information security uh and a master's degree in criminology because I have a thing for bad guys um part of the bites Tel Aviv organizing team and amateur home Brewer let's
start when we talk about the cloud it doesn't just the cloud provider we also include any system or application that provide services in the cloud you can see here the trends in the SAS Market the number of the sus companies and end user uh spending on public CL Services is expected to increase which why we are focusing on our attackers are adopting their strategy on cloud
attacking there's several good uh thank you thank you there's several good reason why company moving to the cloud companies can reduce spending on purchasing and management Hardware the maintenance it's much e easier uh it's allow organization to adopt new technologies uh the time the time downtime is very low and enable businesses easily to uh to scale their resources up or down based on current needs however it's important to note that security is not one of the reason to behind this shift the number of attacks on the cloud also increased those system have become attractive targets for attacker they uh very uh the very large volume of sensitive data and critical businesses processes being handled by S
application make them ey value targets Cloud application are internet facing which make it easier for attacker to find weaknesses and exploit viabilities compared to on pre on premise application that are protected by additional layer security such as firewall or VPN uh let's talk about uh this uh use case uh it's very familiar a Russian cyber group called Midnight blizzard attacked Microsoft by using password sparing attack to access a legacy non production uh test tenant accounts that didn't have MFA enable and moving to the main Microsoft corporate production tenant and by that uh they access to internal uh systems and also source code if you're not familiar with uh what is a password spraying attack it's a type of Brute
Force attack so it means that all the attacks that per from over there are very known uh simple and very easy everything was Cloud only Microsoft are a big cloud provider and still miss this for month like you can see over there Microsoft invest a lot of information SEC a lot of information security but still had a misconfiguration issue in the cloud uh as already know that uh both companies and attackers move to the cloud now let's see the differences between clouds uh attack and defend and defense and defenses uh what is the difference between cloud and on pre you can see here that attacks are much easier on the cloud and uh defense are more
challenging this table shows high level overview of the differences Sherman will drive in uh each or one of them all right so we see that even big companies like Microsoft still struggle both with the basic security in their Cloud even though they are one of the main cloud service providers and we can also see that attackers keeps focusing on cloud we had snowflake very recently which was only a cloud only attack um but we'll start with the attacker POV which is my favorite po to be honest to go through each one of the items we mentioned each one of those topics to talk a bit about how it looks from both the attacker and the
Defenders so from the required skill set perspective we know that when you attack an on Prem environment or technology you have a lot of the basic computer knowledge required like basic networking subnetting um how things work protocols SMB nlms you need to even have a basic understanding on how to compile and run exploits everybody that went through the ocp uh courses saw that we struggle a bit until we figure out how it works we have exploit DB now we have gen and all those fancy things but still you need to have some sort of basic knowledge and understanding how things work before you can come in and start breaking them apart you have a lot of Technology you
need to learn how to bypass one of the most common uh topics discussed today for red teers is how to bypass edrs you have whether it's unhooking and other different types of techniques and almost every other week somebody comes out with a new tool or a new technique against EDR and eventually even if you're targeting the database of a company on Prem or their application or whatever it works on a computer or a server that has an operating system so whether those are Linux or Windows based you still have an operating system you can either Target or interact and try to fight with on the other side in Cloud everything has a UI everything has a portal fancy buttons
you can click you don't need to have very deep internal knowledge on how those Services work or operate if you want to interact with them so if you want to download an entire AWS bucket you just have a checkbox you Mark and click download that's super easy also everything is available over API because Cloud was made to make it lives easier when you want to orchestrate stuff when you want to deploy things everything has an API so interacting with it is very straightforward has very good documentation and we have wide uh misconfiguration that are super common I'm personally familiar with over 20 different open source tools that Target AWS buckets or Azure storage accounts or
gcp storage all of them Target same things publicly accessible with Anonymous access that you can do pretty much everything so from we mentioned a few tools and and that's the thing tools are something easy to burn or to Mark as a Defender you either get signatures you either get how they operate on on Prem what they target what they do what they execute so from a defense perspective mimik cats probably gets an update twice a day today but still we get those signatures from our defense tooling and our security structure we also have the C2 Frameworks but those now come with a cost some of them are open source which are a bit harder to maintain harder to
use if you're are less experienced but if you want the top tier you need to pay money and it's not very easy because those when you pay and you need to have a license they try to crack down on the uh frat actors that are using them for malicious purposes which makes it harder for criminals to obtain them unless they go for the pirated version which usually is much less secure for them but for us the the red teamers the pan testers we have mimic cats which is commonly available and everybody already knows how to use it we have the endday exploit so when CV comes out usually in a few days you'll have walking exploit
somewhere and you have those Frameworks that collect all of those exploits whether it's Metasploit for the the Legacy folks out there but also other options in Cloud it's very hard to defend a against those tools because you don't really have a hash you don't know when somebody's running a specific tool against your infrastructure because as we mentioned everything is tied to the API so those tools to attack Cloud are basically somebody that's coding how to interact with specific apis as a specific order to automate those types of activities and as an attacker you don't really need or or use a zero day or an end day unless you are a state Nation or something like that because
you don't really need it and it will Target the actual infrastructure which is much harder to exploit and compromise rather than specific services that probably are misconfigured by your uh victim the security tax stack so a lot of acronyms I'm sorry that's the industry we live in but um in on Prem we have many we have the edrs for the end points we have IPS and IDs is for Network knack for the physical connection uh internal firewalls for segmentation we have by directional firewalls we have a lot of different technology that we are already familiar with a lot of the companies already bought over 100 different types of security tooling for their own Prem where in Cloud we are only starting so
we are all familiar with a cspm because they almost sold for Google for like 24 billion dollars but we have some common acronyms to be honest we're doing Cloud for living we don't remember all of them I had to Google some of them to put them in the slide of of what they actually mean but the common theme for at least the thir the the top three of them is security configuration they look at how are you configured and not how you are actually ready to do something detect something or respond to something the last category the TD and the CDR are looking at that portion to see all right we have the configuration thing sorted
out is and now we need to see what we do for actual uh active defense and the perimeter that's something everybody already heard of that the new perimeter in cloud is identity it's a cliche it's funny but it's still true because when you want to get your initial access and you want to compromise a company or Target their own Prem infrastructure you need to get a foothold within the environment so whether it's fishing and you need to land with a Mel on the host or fishing for credential and you need to find a way to remotely connect whether it's Citrix VPN any type of remote connection into the company or you can find vulnerability which one of their uh
external Footprints whether it's an unpad service a shadow it somebody forgot about or something you need to compromise or for some of us that's the favorite way physically get into their offices plug something into the network and then you have that access so you have that actual step of breaking sort of a boundary in order to get into the company so it's not necessarily more difficult but it's still more work and we already know that hackers are lazy that's what makes us good at what we do so we'll try to have the least amount of uh in um investment on our side to get the biggest amount of uh value in Cloud all you need is identity and it doesn't
really matter if it's a human identity like username and password an MFA fatigue or no MFA um or just a non-human credential an API key somebody forgotten one of the commits in GitHub or anything you managed to get from a different company at the end of it we'll talk about a different another use case where a company was breached using a non-human identity and then what was stolen from them are a bunch of non-human identities for their customers which makes this cycle much more uh vicious so attackers stopped from breaking in we started to log in and talking about detection so as a as we mentioned where we talk about on Prem we already know sort of what's
suspicious so sorry um yeah thank you um so everything that interacts with ls that's not common we already know it's weird it's suspicious it's something you want to look at it's something you want to block um we have the signatures we mentioned we have the old technology all right ntlm or in some cases LM um we have technology designed to identify when exploits are running through the network um fancy ways for execrating information whether it's DNS that's uncommon anomalies stuff that's out of pattern in Cloud every activity the attacker takes is the same activity as an admin or developer would take the only difference would be their intention and currently it's very very hard to
build detections for intent because in the end of the day you might have anomalies but every organization is different and as a Defender you also want something that's stor made for your organization but when you work with a community everything has to be generic so everybody can adopt it so it makes it much uh harder for us to improve our detections in the cloud because somebody replicates a cloud or a storage account we don't know if it's an attacker replicating it for an unplanned backup they're going to do for us or it's an actual it guy doing their own backup routines people adding integration apps whether it's slack uh code repositories whatever we have today
that's integrated with SAS whether it's something they want need and approve to do or is it something an attacker puts in to have additional access to our infrastructure somebody spinning up huge GPU instances in the cloud they might be playing with generative AI they might mining uh cryptocurrency we need to figure out which use case is it and of course the creation of non-human identities we have developers building cic pipelines so building automations but we also have attackers creating back doors and persistency for themselves so we had all how it looks from the attacker perspective but we here to talk about also about defense so same structure same things but from the defense perspective so technology in
nonrem didn't really change much so everybody talks about geni post Quantum encryption um whatever nothing really changed we already familiar with the architecture of how companies are built so they might be a little bit different but the Core Concepts are still the same all of us are familiar with a active directory lateral movement priv escalation common attacks blood hound attack paths all of those things we monitor for specific event IDs if you take a blue teamer that's doing this for a couple of years and you ask them wait what's the event ID for account lockout or a Kos ticket being extracted or anything like that they know all those numbles from the top of their head we
have common ured seam queries and playbooks very easy to inter to investigate to match against but in Cloud it's it's very different when a bucket leaks out that's a fancy code of unwanted access and it's very hard to determine all right does it actually licking or we wanted it to be accessible what's the architecture when you talk about the cloud footprint because different companies use different clouds some of them are multicloud resources might be for the same purpose but they are buil and Inter interconnected in a different way so it's much harder for the Defenders to figure out how how our architecture looks like and should that service communicate with that service on the cloud are they related uh is it
something going to backend from our providers and of course when we want to start an IR and we know the attacker access the SAS platforms so in this case let's take HR and let's assume they Chang the payroll uh details on a bunch of employees we don't control that app we don't host it we don't have the operating system logs on it and now we're depending on a third party that might have the logs or not they might lie up about having the logs and then we can figure out what really happened and in the end of the day when you build a Playbook and you build it for a Windows Os or a Linux Os or something within
your own Prem it's very generic you can use it across the board but when you build something for AWS it won't work with gcp and it also won't work with Azure and won't work with any other provider especially not with any SAS platforms so some of the common figured out security for defense we already have so for on pram we have ioc's we have hashes we have signatures we mentioned that a lot of times so far but we have also Sigma Yara snow tools we have things that are already out of the box or require a bit of customization we can isolate resources and host using our EDR we can patch vulnerabilities when they come out usually um but in Cloud we are
much more limited from an ioc perspective we have IPS and domains because we don't really have malware running on our own resources we might have some fret actors if somebody works for a fret Intel company I'm sorry don't come at me that that's the truth but we have Ias indicators of activity as we mentioned so we know somebody's doing something but is it a bad thing is it a a routine or is it just somebody doing something they shouldn't do we can't really isolate resources we can take them down we can limit access but it's not really isolation and it's not centralized the way we have it on Prem and of course we can't really patch if a
cve comes in for the infrastructure for AWS or Azure we're [ __ ] um for security tax TX so as we mentioned from we have a lot of acronyms again but all of them sort of make sense because on CL on on Prem they work together they're interconnected they're centralized it's easier to see everything in the same place or at least most of it in the same place in Cloud we have a problem so we have logs they are never real time in best case they're near real time because stuff happens then your vendor your Cloud security provider sorry your cloud provider needs to process them generate them and then ship them to your own Sim
and that takes time so in some cases signing logs which are critical logs in most cases will take at least 15 minutes before they uh populate in your environment so that's super difficult and the visibility which is one of before the last piece we have on Prem we can enable policy across the board easy we build it once run it everywhere same structure for the logs so we vent logs from every operating system so every Windows operating system will look the same have the same structure the same content everything's figured out common types whatever we use we know it's the same everywhere in Cloud first of all most of the logs are turned off by default
because they cost money and when you want to enable them you need to understand what you're enabling where you're enabling it and to enable it everywhere so in WS for example when you enable something it's only in the region unless you go and do it everywhere it's not super easy or straightforward unfortunately and it's something that's usually being missed and the content of the logs and the structure is very different so AWS logs looks very different from Azure logs that look different from gcp logs because those are almost non-existent um and SAS does SAS have logs most of them claim they do then you go for an IR and they start like saying yeah we are working on it
let us like come back at a week or so when we can in other cases and in this case slack and Microsoft I'm looking at you it's blocked based on your license level so if you're using the basic TI for Licensing in some of those S platforms you don't have logs available for you in any case and for the last piece our responsibilities accountabilities all of that structure so in on Prem we know who is going to do what we can yell at each other afterwards that they did a poor job but we know who should do what so it's much easier between it security cyber security socks eups whatever usually they also have administrative
access so they can either go within the network or isolate using their own tooling every time something new gets SP up on your environment on Prem it automatically gets your security policies or your sock package basically in Cloud a lot of different teams Dev team Dev Ops Dev sa Ops sack Ops suck nobody really knows who doing what where and when the sack Ops doesn't have administrative access they don't manage the cloud that's different teams and then when they want logs enabled they ask a different team that's not a security team those are clicking a few buttons and nobody really knows if it was configured correctly and of course again we don't have any control about
Cloud recess vulnerabilities so if tomorrow slack Monday walk day snowflake has a problem which is a vulnerability we can't patch it for them we have to wait for them to figure it out so just to wrap it up another use case I want to go through and this was what happened with cens so basically somebody bad managed to compromise one of the gitlab accounts which got them code access and there they found a non-human identity they use that to go into their AWS S3 bucket and steal all of that which is terabytes of information and cens are serving hundreds if not thousands of customers and within this bucket they had more exess keys for other companies which
make this go round and round and round and now targeting a lot of other companies and those those companies needs to figure out all right which credentials we had with cens can we map those against our environment can we see which activities and actions They carried out do we know which time frame because it came out in April but we don't know where the actual breach occurred or we cannot be certain of it and the only recommendation cing out out of this whether it's cisa or C cisa or whatever was to rotate your credentials so it basically was a simple attack somebody got access to something no vulnerabilities no exploit no zero day uh no nation state attackers nothing
fancy but in the end of the day somebody got credential non-human credential got terabytes of information with more credentials and now we need to figure it out so to wrap up few I would say recommendations from us to you so next week work on that visibility we mentioned because we know we don't have logs and we don't have good visibility we might have logs available that we do not collect or not enabled or if they're enabled we need to make sure they're enabled across the board all regions all Cloud providers all SAS platform that we already use we might don't see it in their configuration so we for reaching out and asking them do you have security
logs because in a lot of cases they will have sort of application SL debug logs which are less effective for security and next month try to see how you can enable security tooling available from your provider so AWS has guard uty Azure has security Center and Microsoft Defender for cloud gcp has the Google Cloud security Command Center GE that's long um I don't know if all of them are free depends on here licenses whatever check it if you have it available start using it they generate some of the alerts you want to see as a starting point and then you can expand on doing all right uncover your unknown unknown which is another cliche I hate but it's
still true get a red team a good red team to start breaking things and then when you can see what they broke and you don't know where they went when they got into that specific s platforms that's a visibility Gap you want to address and then start building your anomaly detection and your behavioral detections that means that we said we can detect tools however if you have a tool you can start seeing how it's structured which API it calls in which uh way method which time frame between each call it helps with detections it won't solve security unfortunately uh but it's still something better for your Cloud environment thank you for having us
right uh thank you so much we don't have time for questions unfortunately but audience shman will be right uh by the door if you want to catch up with them uh after this next Talk starts in about [Music] n [Music]
[Music]
n
[Music] [Applause] [Music]
[Music]
[Music]
[Music]
[Music] [Music]
[Music] n [Applause] [Music]
[Music]
[Music]
uh we're about to kick off uh spear fishing at scale using generative AI uh quickly before I get Ted started I'd like to thank our sponsors especially Diamond sponsors prism cloud and vanta as well as our gold sponsors uh project circuit breaker and semrep it is their support along with other sponsors donors and volunteers that make this event possible uh as always uh please silence cell phones we are live and streaming to the internet if you have questions please raise your hand and I'll bring the mic to you please welcome
Josh hey folks thanks for coming how's my audio back there good cool great all right welcome to hello world L World anyone get that joke anyone get that reference thank you very much I worked very hard on that um spear fishing at scale using generative AI um all right so quick background why we're here uh is there echo or just a little bit of echo maybe all right [Music]
um testing all right there we go thank you sir appreciate it okay so uh I'm on the internet you can find me pretty much everywhere at J Camu where I'm the founder and CEO of a company called Sublime security we detect and prevent lots of email attacks that's why we're here today to share a little bit about what we've been seeing in the wild um and also some um share a little bit of experience um some of what we recreated on the offensive side um my background prior to Sublime spent most of my career in the offensive of cyberspace so that's a little bit of what we're going to be bringing today um all right so quick overview of what we're
going to be covering we got a lot on the agenda um we're going to mostly spend most of our time talking about gen use by adversaries and what we've been seeing in the wild as well as um what we were able to recreate relatively quickly to just demonstrate really the the barrier of Entry to doing this stuff and and how low it is and we'll talk about detection and then defense and depth strategies as well so before we do I don't think it's a surprise to anyone that the um threat landscape is rapidly rapidly shifting we're seeing this in in email in particular lots of new techniques being employed uh anyone see like QR code fishing recently or heard
of it callback fishing I mean it feels like every day we're seeing new types of attack variants the question is like you know why what's the motivation behind it um when we're when when speaking about um financially motivated adversaries you have different types of adversaries with different objectives you've got nation states um who may be financially motivated but have other motives as well like Espionage you know Intel collection when speaking about financially motivated adversaries they are seeking High Roi opportunities um there's two inputs into Roi there's return on investment return is the financial reward at the end and investment is the time money resources allocated to achieve that return so keep this in mind this is why you know we'll
see obviously the adoption of gen by attackers because it makes them more efficient um so quick terminology overview um has anyone not heard of gen or llms yeah all right cool so we won't belabor that point but just to draw a distinction here um gen is really like the umbrella term that includes image Generation video creation audio synthesis code generation and it also includes llms so llms are a subset of gen um and llms um focus more on text generation summarization that kind of thing uh for the purpose of the talk we're just going to use the umbrella term but just so we're aware of the terminology there and why we're using what and just a couple words on the
landscape here and um we've really got two um two different kind of even Phil philosophical approaches to the landscape we've got um the Clos models and we've got the open source models everyone I'm sure is well very well familiar with open AI maybe not as familiar with the others anthropic Co here uh these are all accessible via API these these are how these closed models make their U models available and we've got the open source models and you run them locally generally or you can deploy them elsewhere using tools like AMA um so when when talking about what we've recreated um or even attacker usage you can generally see either one of these depending on privacy
preferences um or the lack thereof so we're seeing I mean this is probably not news to anyone that this is happening in the wild today um and it's happening pretty much through many different attack vectors so not just email we've got the FBI warning um around voice and video cloning down at the bottom left there and we got Microsoft talking about Forest blizzard a Russian threat actor employing llms for various purposes um Recon and enhanced scripting generation so really we're seeing U we are seeing adoption quite literally by um adversaries and bringing it back to the former Point around why right um it makes folks it makes you more efficient um and it lowers your investment and it
increases your return and we'll talk about very specifically in the email domain what it enables you to achieve um Beyond just efficiency uh really we're talking about efficacy of attacks as well so let's get right into it around the attacks we've we're seeing in the wild so a quick note on this right it is practically impossible to assess with confidence that something is geni uh um originating um so if anyone tells you with certainty that it is like unless they were on the adversary keyboard and observe it happening it's impossible to say with certainty right um so we are saying likely we use likely AI generated uh with very very high confidence and we're making that
assessment just for transparency's sake using uh some of these factors right so we're talking to our customers and validating that these are in fact uh fake threads fabricated identities real events that are happening um we're seeing similar variance across multiple customers but tailored uniquely to certain ones um we look at thousands and thou millions and and very manually eyes on glass like thousands of messages like we analyze them so we have a lot of experience um so we've got Instinct for what's looks feels and looks like AI generated and and what's not um and then we are in throughout the course of this presentation we'll also show the output of some of these AI detector um tools so
there's a bunch of these out there uh this is a relatively new field the detect the detection of AI generated text um so it's very nent it's not a reliable thing that you can use to like detect things there's a lot of FPS there a lot of FNS but um it's it's a thing so we we show the output of some of these throughout this so here's the first one um this is is writing to um verify and request um invoices and basically start a conversation and there's a bunch of things happening here there's um an impersonation of an organization's like a real uh contact at this organization what's really notable about this like invoice fraud is not a
new thing right that's been happening for a long time but it's generally riddled with like poor grammar um and you know threat actors that are non-english-speaking that clearly just threw some [ __ ] into Google translate and it's like not that really well written and so this is what's interesting about this is that it's um proper English there's a structure to the paragraphs here it reads like relatively well um and so really we're seeing this better formatted um generic this is like not highly targeted right we'll talk we'll get to the more targeted stuff but it's interesting because even the lowlevel Mass fishing campaigns are stepping up and and they are not your your Nigerian prince scams
anymore right they're they're well uh structured so over on the left here we also have identified some signals here we will come back to this towards the end when talking about detection but I want to to highlight some of the signals that you can actually use um for each one of these so we'll come back to that um mentioned these AI generator detector tools here's I think one called zero GPT that assesses with high confidence that every single word here was generated with um a tool uh with with that was generated by AI um it makes these you can look up how it's making these interpretations really a variety of factors like Randomness the probability
of certain words the uh variation of sentence structure the length of sentences there's a lot of factors that go into these assessments um but yeah interesting uh assessment there all right example two who has who has received or seen a benefits enrollment fishing scam before yeah okay a few people um so this is like not necessarily a new uh technique right we are seeing old tried andrue techniques that are better than before um this is proper English there's you know 1 2 3 4 these are all proper like it makes sense it's well structured there's no grammatical errors here and so we are seeing the older these like tried andrue techniques around um pretext uh and the techniques that are being
employed just stepping up in complexity or in convincing and how convincingly are the other reason I wanted to highlight this is that there's a PDF attachment on this message that uh has an embedded QR code so this is actually a QR code attack and so um you can see the the uh blurred out part there and so what is happening here almost certainly is like autogeneration of PDFs um and and embedding of QR codes as well in attachments so um quite interesting and here we can see a different uh AI detector Tool uh assumes predicts 100% of this was AI generated okay on to the most interesting one that we have come across as of late um there's a lot that is
redacted here because there is there are real identities there are real events and so for you know customer privacy reasons we've had to redact this but um this attack uh has an entirely fabricated thread with responses with fabricated responses from real identities at the Target organization about a real um and we'll go through each one of these it's quite interesting so the first email in the thread um is coming from uh the a a fake message that's purporting to be from the target organization an entity at the Target that is reaching out to the gala saying that they want to pledge $25,000 to this event the they we've got a reply coming back saying that they are um they wanted to
express their heartfelt appre appreciation and send a package for sponsorship um and then we've got uh a followup where in threaded reply to um these are actually um real organization names in the targets industry so they've got they've done some you know enrichment here and are saying hey X company and Y company are already in um and they filled out the form and whatnot and then we've got another fake reply uh purporting to be from the target organization saying where to send invoices to and then we finally have the last message in the thread which is you know what what the actual ual attack is which is sending the invoice so we've got someone in finance
that receives it sees that there's been exchanges and everything looks legit um and it is quite in fact not legit so very very interesting development here and you can see that this is um that the AI detector actually does a worse job on this and ultimately like these things are just they have too many FPS too many false negatives so if you are kind of relying on this on a day-to-day just know that you know there it's it's a relatively nce it's a relatively new field that's that's developing on the detection side so we did verify with the customer um that this was in fact completely fake uh did not exist the sender domain if we pop back over um was
actually registered um um a few days prior to the attack so it was just registered newly registered domain it was designed to impersonate um so quite quite interesting here so what's the impact of this ultimately on the email threat landscape uh messages are more tailored they're more convincing they're more correct grammatically they're more diverse when looking at a campaign across multiple organizations and um they have more reach because they are landing in the inboxes more opposed to spam so uh just for fun I wanted to see like what it would take to kind of recreate something that was quite convincing so um there's there's lots and lots of tools this isn't a talk about ENT um but you know there's plenty
of talks on gathering information on entities in an automated way here's some of those tools um so you can go pull in pull information from identities from organizations crawl websites crawl LinkedIn all these types of things there are services that already have all this information like full contact UM or or even clearbit provides um logos give it a domain it'll give you a logo so um all of these enable you to automate this and for recency uh or or for more um uh higher chance of success the if you can include and this is a personal opinion from just coming having uh spending most of my career on the offense like if you want to convince
someone of something um or have a better chance one technique use a recent event use something they said use something that is like highly relevant and timely not just some generic thing right so hey I saw you at this event hey I saw you know something that is like much more believable so we took all this information this is a bunch of info gathered about me so name title pass roles um recent activity from socials this was like one of the key inputs here so pulling a bunch of my recent LinkedIn posts a bunch of my recent uh Twitter posts and then giving a prompt um that we've iterated on so I'll read some of this uh you are
a computer scientist who writes very dull with little excitement and is extremely tur craft an email message do not sound salesy at all or make any generic statements keep it extremely short and concise a few sentences at most uh it goes It goes on to say to give some additional Direction um mention that you're sharing a document and say how specifically relevant to the observation how it's specifically relevant to the observations above and think they'd be useful or relevant be casual double check your work uh to ensure you are not making up anything that didn't happen so this is what we get um this was after not much iteration um hi Josh I saw your LinkedIn post about the
increasing sophistication of fishing attacks link post your points on adaptive threat for to detection or insightful that is sort you know relatively what I was talking about uh I'm sharing a doent on recent fishing methods that relate your observations I think you'll find it relevant and useful um and we can embed then our lure in a Word document or a PDF or something like that um decently like I might click on this um like I want to know what yeah what you're talking about re fishing methods like that makes sense um so really this was an exercise to understand like what does it take uh and it's the the barrier to entry has been lowered significantly
so um that's just something to really Gro um okay really quickly we'll we'll go through the last few bits here detection and prevention so on the detection side it's not all that different from from targeted like tailored attack detection so even for this guy right um we're using signals like hey um you've never spoken to to this person before there's a suspicious Word document there is a it's a malicious Word document it's a malicious PDF there is a suspicious Link in the PDF we're going to you know there's a link that we Analyze That Auto downloads an ISO like it's not all that different on the detection side um but attackers are um just constantly evolving these
techniques right so you know there's thousands of these signals um but the point is that it's it's on the detection side it's not very different even as things get more uh Advanced and um we talked a lot about the offensive applications of of generative AI there's a lot of of course defensive applications from language analysis intent classification um so this is one thing that you know we do very heavily around identifying text and understanding its intent um extracting entities this is called Neer named entity recognition is there a request being made is there a sense of urgency things like that and of course you know there's there's so many more around um alert priorization saki there's a this is
really just the beginning of um a lot of interesting defensive applications so the last word to wrap up um defense in depth really there's obviously like if you can block it at the email L like left of boom right as far left as you can go great but you should always have a defense in depth mentality um educate your users right it's important to know that fishing attacks um can be extremely convincing it's not just the hey the the Microsoft teams alert or the fake Microsoft teams alert or things like that like it can be quite convincing um for credential fishing attacks employ MFA ideally Hardware based like UB keys and for to prevent becc have a
multimodal approval for large transactions multi-layered um all right um I think we've touched on all this it's it's just it's still very nent it's it's getting worse so um thank you [Applause] uh thanks uh any questions for Josh bring the mic right over so with regard to detection uh how much are the like the much more common uh kind of that that grammar uh like helping apps like grammarly Microsoft co-pilot even just Gmail how much is that kind of like fuzzing with uh those detection algorithms that you guys are using to because we're probably I I would assume seeing more and more corporate users using that uh to you know help themselves but then obviously
you know with Gen uh then being used to create these fishing messages how much is that kind of like wreaking havoc with those detection models as in uh for the for like the Gmail for Gmail's detection model or for like H how are they so earlier you kind of had like 6% you know yeah right you know so then obviously you've got more users like real users using these gen based uh apps to help with their Grammer and and you know in their email yeah yeah oh yeah like how does that impact detection basically well that that's why I don't think you can use these detectors as like inputs into detection right it's there's too many false
positives yeah one more um so do you think that like I guess the overall mitigations that you would take against fishing let's say are like drastically Changed by this or is it just that the fishing is more effective the ladder okay yeah uh thanks very much Josh uh lunch break other talks are going on in other tracks otherwise we'll see you back here at 2m for hacking arcades thanks
[Music]
[Music] [Applause] [Music] hey hey hey he [Music] [Applause] [Music] [Applause] [Music] [Music]
he he [Music]
[Music]
[Music] [Music] TR [Music] hey hey hey [Applause] [Music]
hey hey hey hey hey hey what [Music]
[Music]
[Music] [Applause] [Music] he [Music] [Applause] [Music]
[Music] [Applause] [Music]
[Music] [Music] [Music]
[Music]
[Music] [Applause] [Music]
[Music]
[Music] w
he
[Music]
h [Music]
[Music] [Applause] w w [Music] [Applause] [Music]
[Music] I I'm just trying to give you [Music] something I'm just TR do I'm just St to give you something [Music] he [Music] [Music]
[Music] [Music] I'm just I'm [Music] just I'm just tring something okay to BR you I'm just trying to give you something [Music] n [Music]
[Music]
[Music]
[Music] a [Music] [Music]
[Music]
he
[Music]
[Music] [Applause]
[Music]
[Music]
[Applause]
[Music]
[Music]
a [Music] e [Music] la [Music]
n
[Music] oh [Music]
[Music] a [Music] [Music] [Music] [Applause] [Music]
[Music]
[Music]
e
[Music]
n [Music]
[Applause] [Music] hey hey hey hey hey
[Music] [Applause] [Music] nah [Music]
he
[Music]
[Music]
[Music]
[Music] TR
[Music] hey hey hey hey [Applause] [Music]
he hey hey hey hey hey [Applause] [Music] oh [Music]
[Music]
[Music]
[Music] [Applause] [Music]
[Music] [Applause] [Music]
[Music] he [Music] [Music]
[Music] [Applause] [Music] he [Music]
[Music]
he
[Music] h
[Music]
[Music] w a [Applause] [Music] [Applause] [Music] [Applause] [Music] I'm just I'm just TR to give you [Music] something I'm just trying to give you something I do I'm just trying to give you something [Music] w [Music] [Applause]
[Music]
[Music] [Music] I'm just okay I do for you I'm just TR to give you something [Music] I'm just TR okay I do I'm just trying to give you something [Music] w
[Music]
[Music] [Music]
[Music]
[Music]
[Music] [Applause]
[Music]
oh [Music] [Music]
[Applause]
[Music]
[Music] n [Music] I [Music] n
[Music] [Music]
[Music]
[Music] oh [Music]
[Music]
[Music] [Music] [Music] [Applause] [Music]
[Music]
[Music] yeah a
[Music]
[Applause] [Music] hey hey hey [Music] [Applause] [Music] he [Music]
[Music]
[Music] oh
[Music] track [Music] TR he hey hey hey [Applause] [Music]
hey hey hey hey hey hey [Applause] [Music] [Music]
[Music]
[Music]
[Music] [Applause] [Music]
[Music] [Applause] [Music]
[Music] [Music] [Music]
[Music]
[Music] [Applause] [Music] he
[Music] w w
oh
[Music]
m [Music]
[Music] now [Music] [Applause] [Music] [Applause] [Music] oh
[Music] I'm just TR to give you something okay I do for you I'm just TR to give you [Music] something I'm just I do I'm just to give you something [Music] n [Music] w
[Music]
[Music] [Music] I'm just TR to I'm just try to give you [Music] something I'm just TR to give you something I you I'm just trying to give you something [Music] oh [Music] w
[Music]
[Music]
[Music] [Music]
[Music]
[Music]
[Music] [Applause] is
oh [Music]
[Music] [Music]
[Applause]
[Music]
[Music]
[Music]
[Music]
h
la [Music]
[Music]
[Music] n [Music]
[Music] oh [Music]
[Music]
[Music]
a
[Music] [Music]
n [Music] [Applause] [Music]
[Music]
w [Music]
[Music]
[Applause] [Music] he [Applause] [Music] [Applause] [Music] [Applause] [Music]
he [Music]
he a [Music]
[Music]
[Music] TR [Music] hey hey hey [Applause] [Music]
hey hey hey hey [Applause] [Music] he [Music]
[Music] [Applause] [Music]
[Music] [Applause] [Music]
[Music] [Applause] [Music]
[Music] [Music] [Music]
[Music]
[Music] [Applause] [Music] oh [Music]
[Music]
he
[Music] h
[Music]
[Music] [Applause] [Music] [Applause] w a [Music] [Applause] [Music] I'm just I'm just trying to give you [Music] something I'm just trying to give you something do I'm just trying to give you something he [Music] w
[Music]
[Music] [Music] I'm just I'm just TR to you [Music] something I'm just something I I'm just want to give you something [Music] m [Music]
[Music]
[Music]
[Music] a [Music]
[Music]
he
[Music]
[Music] [Applause]
[Music]
[Music] [Music] oh
[Applause]
[Music]
oh
[Music]
[Music]
[Music]
[Music] a [Music] [Music]
[Music] l [Music] [Applause] [Music]
[Music]
[Music] a [Music]
[Music]
[Music] n [Music]
[Music] [Applause] [Music] oh [Music]
[Music]
[Music] oh [Music]
[Applause] [Music] he hey hey hey [Music]
[Applause] [Music] [Applause] [Music]
[Music] he [Music] he
[Music]
[Music]
[Music] track [Music] yeah all right good afternoon everyone welcome back to ground truth besides Las Vegas 2024 uh excited to kick off the afternoon hope everyone had a great lunch break uh with uh insert coin hacking arcades for fun before we get started uh couple quick announcements I'd like to thank our sponsors especially Diamond sponsors prism cloud and vanta as well as gold sponsors Drop Zone Ai and semrep it is their support along with our other sponsors donors and volunteers that make this event possible uh secondly we are streaming live please turn off your cell phone so as not to disturb the internet uh and also if you have any questions uh we'll take make
sure to save some time for questions at the end please raise your hand and I will bring the mic to you with that please welcome ignasio thank you thank you thank you uh as I say if you want to take pictur during the presentation is okay for me and if I looks good tag me on Twitter because I need to change my teer picture so that's fine uh and also this is my first time speaking here in mid size and in 20 19 I think I think it's not working there okay uh
okay okay so 2019 I went to the first Conference of outside from outside Argentina and this one was besides so I'm so excited to be here today uh I'm Navaro I'm 26 I'm from C Argentina is like in the middle a small City small town I work in like application security engineer and I know sometime I do some medical hugging when I'm a little bit bored at home and that's the Twitter if you have any question later or something like that and for the picture too and also as a fun fact I love sneaker and also I made clothes so that's why I have a lot of that [ __ ] uh what you want to see today I
divided talk in 10 different stages so we want to see a little bit of introduction how I found this arcade in Brazil uh about the company who is owner of the product of the system as some idors work authorization Security in Android a take cover race condition a little bit they have a web page if you want to book a some arcade for a par we days and that so a little bit of that web page some side servers NFC and the conclussions disclaimer so maybe some of these techniques and procedures are are not completely legal so I recommend don't do this one at your home and if you do this one just take care and if you found something please
report that stuff immediately so just don't be an [ __ ] and be the facing websites and that stuff in Argentina there was so normal like two months ago they were def facing website from public universities or libraries and why so we can start right now the last year last December I went to hauger to hackers in Sou that's a really really nice conference so technical that but also they have a lot of parties from Friday to suay so in one of those parties I met a girl from Brazil and at the next day we went we went to get some beers and after some minut we see that there was an arcade place in front of
the bar and we say yeah sure we can go to play some games we enter into the place and there was a small machine like that one where you can get the car you can ch you can check your money and that and that was running a really old version of Windows so I stare in front of the machine for like five minutes looking that that way and I say okay maybe when I come back to Argentina I going to what's going I want to check what's going on over there so stage one that one was the car just the name of the of the company and that not not not much no not much data
so I Google it and and I run a little directory list with go with gobas at the normal dictionaries and we didn't get a lot of data that was just a old version of PHP running Drupal and they have exposed the info. PHP as I say the version was from 2019 and there's an interesting research from breadmore that's the Q code if you want to read it is from 2011 and if you have the file blows on and and you get some lfi you can get some access and execute some commments in that but in this case we don't have the lfi so doesn't matter I run a little DNS search with dnsx and S find there and S
find that's the the giod the giab Cure and we found the normal domains but one subdomain called PL was the web application for check your salary and your history where did you play charge on money and that so I tried to do injection into that one but that didn't work because there was a middleware so you cannot do anything so you can just check the moments and charge some credit so I spent like two weeks in that stuff and I don't found anything in that and say okay maybe there is no talk this year there's no vulnerabilities here so after two weeks I turned I turn the car and I see at the bottom there
was a URL from another different company so I Googled it and there was a Argentinian one and say hey we are the worldwide worldwide leaders of creating system for amusement entertainments and blah blah blah not just arcade we have bowling we have skate park uh trampoline parks and everything and that was getting nice and they have map with all the clients around the world public and there was that more than 2,000 installation and around 70 countries so definitely I say okay yeah I want to I want to check what's going on over there I run a little DNS search too and I found the API version two documentation um but you need the if you
want to generate the authorization token you need the API key and the API secret just showing that string do a sh one and another Shan I don't know why and then you have the access token so if if you want to check some API that say okay that return at 200 status quoe but on the body you can see it's status success but the success is false and the status Cod is 4 403 and access denied but a certain point say okay we need the API key and the API secret that didn't work but what happen if we delete the version two in the normal web application that didn't work well we are from Latin America
so that work and you get all the data from that amusement park in this case is in Orlando Florida and some in monotis and I did the another gobard over the API and I found some endpoint with 200 okay and some data all of them most of them were were empty and a lot of them with 400 with a lot of Errors the same one who I show you sy that's error or just access Deni so now we can move to the idor and the r authorization what is idor basically is when you try to access to the object uh maybe that's your op and that's okay but maybe you if you want to ask for the 2001 and that's not yours
and the application say yeah sure here you go that's the idle basically so we can check we can check our car for example let's say okay this one is my car I have this money in that in that stuff I have those tickets and the image is just the same we show you but what happen if we want to ask for another car so we get we get access to that one in this case okay this one have $90 the those tickets without token or something so just checking and the same with the customers and also there was a sequential ID so you ask for the customer number one and you get all the data the first name the last name the
phone the picture where they live where they play the car uh you have access to those car with the pin Cod there was a pin Coe in the car but they didn't validate it so I don't know why they use it so that that was me after I found this [ __ ] ER I I wrote a little pth script to get some cars with some money inside and some tickets just for check if that was working there was a demo demo web page and there was the 2,000 installation with the same stuff yes I came back to the web page and I start to see I start to read the different news about and they say okay
we are in Brazil we are in Prague we are in Saudi Arabia we are in Spain we are in UK and there's another one most interesting for you I think I don't know if you know that place but there is a roller coaster close to here uh I don't want to say the name or anything so but they see you know which one is um number four Android application when I was checking the API I found I found an endpoint who say you have different sources to get the C when one will be the kiosk at the store the machine who show you and the other one is the mobile so I came back to the to
the application store and I didn't found it because it was in Argentina maybe I don't know so I went to the normal application like normal places like APK combo and APK Pure or and there was a list with all the applications so I download one of those I de compile that one just with EP tool or Java de compilers and we get a code because this one was on a FCAT or something so that was all in PL test uh I run a little VI F just for making it more Beauty and now we can filter so I I run a repb with the API key and the API Secrets the buuk URL account code and we
get all those data so we have the applic the the key and the secret that for the application number for the API version two and I get more application just to check if that was the same stuff and yes so the API endpoint was the same but that changed the API key and the API secret and the account code that's mean the D point is the same one but there was a heater called account code and each account code was a company that was like xmal like 13 13 characters so could be quite complicated to guess which one is TW one uh so with that with that data we can just point to some company but also
we have Google and also we have the list of all the customers so maybe we can search a little bit but what I'm saying basically in this case we send a request to the to the API to the main AP to the main API with a account code and let say okay this one is a amusement park from eador and if we search the name of the place the name of the amusement park and we send a request you the same one but without account code we have the same data so the API is the same one and we don't need the account code what about if we charge some money into that one uh we need the token we
have the API key we have the API secret for Generate the token so we run it we get the token and now we can just consume the API and that's that there was a end point who where you can see all the different offers that they have like okay you can charge $200 and then you get more 50 for free and that and also there was an endpoint for generated sales just the idea of the offer the number of the card that you want to charge that money and and and that's it uh uh uh and also that say if you want to do the online rear automatically automat automat uh automatically we can say that
uh you can just set the parameter deliver in true and that's it so obviously I didn't run this because I don't want to be in jail and $200 of this in Argentina is a lot of money so about the end points into the application there was almost 30 in that one all of them went in plain test and also they have the parameters so you can read you can see the body or the query p in some cases and there was an interesting endpoint called customer that you can change the um yeah there was a post they that they have the authorization token but they didn't validate that one uh and the body was the name the
email and the newsletter that was just a random body to get some spam in your mailbox but I think the interesting one was a mail because maybe we can do some stuff if we exploit that thing because we don't need a token and or anything for the user so a qu C and race condition I ask for my user and I say okay this one is the demo us sir uh that's your last name and this one is your email uh but now sent the post without any token just with the account code and I said okay now I want to set the full test the email and that's it and that works so they don't have any validation
so I I record a little video about that but I'm so bad editing videoos so sorry I mean I did my best with the application in the Macbook so we had the account demo account take overover that one is your email food test now we're going to go to web Hood get that email send the post without any token and let say Okay St to access this one is your new email we come back to the login we ask for the reset the password because this is this is not our account send me a password we receive the
email I US Post use a speedcam or something here but as I say I cannot do that we reive the password correctly we said just one 2
three uh now we want to look it in with the other with the new with the new
email sorry and that's it we have for the same account and the user never receive a email and say hey your email was changed that was you or not so once we get into the profile we we can get access to all the cars and the history and all the person live basically so race condition is when you want to get some different process at the same time uh you have some different case that one is the C code for the port sger lab so that really nice uh basically you want to you want to use the same process at the same time but you have different attacks could be so complicated and that but in this case
I just write the well this one was the offer that say Hey install the application in your phone and you're going to get 300 tickets so I wrote a little python script just normal one I mean I just send in just a post and that's it and 100 threats nothing compl licated nothing so hard so I run it and that was five hits and we check the history and we get all the tickets into our account and in this case was just ticket but there was another one like hey you want to get $200 or $100 and more points and obviously I didn't try that one too uh about the bookings uh I found that that stuff on
the application say Okay online booking start res i r a gobas over there and we have a lot of a lot of folder exposed but the most important one was the TMP deow some data the TMP have some XML logs store data and some about the end points you you get some apis over there you have some values but it's not so much important in private data I mean it is but not too much the I wrote a python script too to get some interesting because there was a lot of picture just the logo and that stuff there was not so much nice data and I found and that found three different folders called fur
Argentina that's mean like invoices Argentina and when I entered that one they had two certificates and I searched a little bit and in Argentina they use the stuff to say hey I'm this company and I pay or I receive this money from that person so you can do some funny stuff with us with that one but if we have the certificates we need the invoices over there so in the data there was all the invoices from Argentina with a lot of customer data the address the phone how they pay with which car and that and there was almost 600 700 data and about in booking manager one of the end points was called post and they say here the reservation
but last name or reservation code and you have the stuffff the input and search but what happen you if you just click search without any data you get all the restation so you get all the customer you get all the data uh who they are how many person how they pay but I those one those one are new this one I think this one was from us from April March when I was working the talk but also the web page was a little bit weird because they have a lot of Errors into the application you can get some you can read some code over there you have some sqa in SHO and also there was a fun stuff that
you can tip for the waiter but you can see the negative tip so it's less money that you have to pay um S servers as I say at the beginning sometimes I a little bit Bor in my home and maybe Sunday I open shoot and I start to find something just to have some fun and in this case I phone they have the sendex public so you can create an account without any validation I mean you can just set random email and that's it and you can get some videos inside I mean they they have a lot of network Maps like okay this one the infrastructure you can get some API Secrets some password some API key so
they have a lot of videos with a lot of data there was a go-kart in here in us too who using the same stuff and they have the administration panel public so you can get all the user from the API the name where they live the hes uh that was we token or firew so you can use some DDOS and that's it and also they have public the panels I mean when you are on the cting you have all the all the monitors over there so you can see that stuff too it's not so funny but you can see it about Spain there was a big amusement different amus Park from the same company and they have
public this stuff that was is like the administration panel for each amusement park I tried to do some sqli and that and that didn't work but they had Expos the web pack so you can read all the code from the application and they have API that you can check the different machines and that give you the status and the the public IP for that machine from that machine so you can get some fun from that way too uh you have all the the roles there was just four but also they have the login part and they say you remember the first Jason who show you with all the status access status file BL that was something
similar and I say okay if the status qu is 200 just give me the token that's it go away but if if the status qu is 407 do something but this if it this 420 do another stuff I say okay what is 420 at the beginning I was thinking I think was talking about weed or something like that but no that say 420 that give you another screen could say okay you can receive the password for the user that you want to that you want to do so this was a random user and you can set the new password and that's it no validations no token anything so it's like the same typ I showed you at the
beginning about the NFC I don't want to go in deep with this one because the card to be honest was so simple but there's interesting article from Chim Alonzo from Spain who show you the different vulnerabilities in the NFC in the my fre classic system and that and in my case I use the flippers z um so I read it that was a my classic you have some data like the manufacturer the uid each blog is the car have 16 block with each 16 six 16 sector with four block each one you have one for the key and that but in this case the the car was almost empty the key was by the default
just FFF and in the second blog in the first one you have the info about the company but in the second one you have that stuff and when you decode as that one it's just the number of the car so there's no validations so you can just ch your car and use the different card that you want to use uh and also I went to Spain like one month ago I think to elar hack that's a nice conference too and after the talk one guy come to me and say hey hey I went to the amaz par with my kids last week and I have the card here if you want to read it I said sure let's go uh
was the same empty car just a number over there so B basically have the same vulnerabilities that all the all the cars around the world but for those decks you need a flipper zero or some different tools for NFC for NFC so I come back to the application and I said to read the code and that say okay if you if you don't have IOS iOS and NFC play is okay do something so I continue reading and say okay maybe this one is a little bit interesting I open I download application here from us I use my that phone in this case so we look it into our
account and there was a part in the application that you can get access to all your cars and also you can emulate those car with your phone so you you don't need a flipper Zer or something like that to do that just get the application get a phone with NFC uh you have the account take cover stuff too so you can get all the cards in your phone and that's it we are close to finish I don't know what time is it but I think we're okay what we can do basically we can get access we can get the data for all the customers we can emulate car access to them charge some money or air multi
multip times the same prices and what about here in us here is one of the country with most clients that they have but what about here in Vegas but first of all just try to don't do something stupid after this one um they have some stuff here they have an amusement park an arcade in some somewhere somewhere here uh they have an arcade in another place random place I don't know which one and they have there's a news place there is a bar bar barade or Bar Arcade that's a new one I saw on Twitter like one month ago and it's somewhere there too so but please I say don't don't be an [ __ ]
please well at 2024 we still having some shitty vulnerabilities and misconfiguration ation so you can go to the basis and pH interesting and and get a little bit of damage in that stuff and theop culture will help L to the company because if you are fixing the vulnerabilities at the beginning you don't need to wait until they are in the production and make all the problems that we always have security ucation and training for all the person blah blah blah the normal stuff I mean not not for the security or the developers just for the whole company uh uh there was update because I present this talk beside Colombia in April and at the moment they never
replied to me but after that stuff I think they saw the talk or something and we had a meeting over there in Colombia H I was scared of [ __ ] over there and we had a meeting say okay let's work together it's fine okay I do this one for free but if you want to pay it's okay I just want to report it to you and you need to fix it it's fine and that was on April in May I write a report and say and send I send the report to them and they never replied to me so uh I did my best at least so uh if you found something please report it don't be having some fun I
mean you can report in the WR talk and present here in besides but don't be the facing website or just made some [ __ ] stuff over there and if someone send you a reer place a little pay a little bit of attention you don't need to pay them but say hey thank you for report this one to me we're going to work on this one and that's it and that's almost all because tomorrow there is the other version of the talk in Sky talks uh 3 p.m. I think yeah at 3 p.m. and there will be more data that I can show you right now with that camera pointing to me but but if you're going to get more
sensitive data you can go there tomorrow uh for the entrance you need a t you need a token that they are doing that stuff over there and also you need to give me a beer I think that was on the documentation I don't know why but that's all people thank you so
much thanks uh any questions cool can you use the desk thanks I saw a hand thank you hey great presentation um I missed the part where you were first explaining the API how did you get the API token or how did you no I mean I get the token from the Android application ah okay uh but most of the endpoint didn't have any validation or something like that they they don't they only validate the token in the Char in the for charge money so that's it uh time for one more all right thank you so much thank you all right next talk at three [Music] [Applause] [Music] [Music]
[Music]
[Music]
[Music]
he
[Music] h
[Music]
[Music] oh a [Applause] [Music] [Applause] [Music] [Applause] [Music] I'm [Music] just I'm just TR to give you [Music] something I'm I'm just trying to give you something do I'm just tring to give you something [Music] w [Music] [Applause]
[Music]
[Music] [Music] I'm just TR I do I'm just TR to something [Music] I'm [Music] just I'm just trying to give you something [Music] w
[Music]
[Music]
[Music] [Music]
[Music]
[Music]
[Music] [Applause]
[Music]
oh
[Music]
[Applause] [Music]
[Music]
[Music] oh
[Music] oh [Music]
the [Music] n [Music]
[Music] [Music] n [Music] [Applause] [Music]
[Music] oh [Music]
[Music] [Music] [Music]
[Music]
[Music] a
[Music] a [Music]
[Applause] [Music] hey hey hey [Music] [Applause] [Music] he [Music]
he
[Music]
[Music]
[Music]
[Music] St [Music] back
[Music] he hey hey hey [Applause] [Music]
hey hey hey hey hey hey [Applause] [Music] he [Music]
[Music]
[Music] [Applause] [Music]
[Music] [Applause] [Music]
[Music] [Applause] [Music]
[Music] [Music] [Music]
[Music] [Applause] [Music]
[Music] w [Music]
oh oh
[Music] h [Music] a [Music] [Applause] [Music] [Applause] [Music] [Applause] [Music] yeah I'm just TR to give you something okay do you I'm just TR to give you [Music] something I'm just something I'm just to give you something [Music] w [Music] w
[Music]
[Music] [Music] I'm just I'm just dring [Music] something I'm just tring something I do you I'm just trying to give you something [Music] oh [Music] w
[Music]
[Music]
[Music] [Music]
[Music]
10 seconds
all right good afternoon uh we're ready to kick off uh the 3M session here in ground to through Bri sides Las Vegas before we do that uh I want to make a few quick announcements first I'd like to thank our sponsors especially our Diamond sponsors prism cloud and Fanta and our gold sponsors project circuit breaker and srep it's their support along with other sponsors donors and volunteers that make the event possible secondly phone's on silent it disrupts the stream finally if you have questions call me over and we can use the mic uh please welcome him in thank you everyone am I audible Perfect all right so thank you so much for joining um my name is
Amit we will talk about H Shadow apis and zombie apis today um I've been an API exterminator for PayPal for the past year and a half um I've been developing tools Frameworks to that will that validates H Expose and help Drive remediation ER for this uh issue and uh yeah let's get onto it so um first all of course Define what uh Shadow and zombie apis are and I'll show you an example a few examples actually and we'll talk about the preventative um sdlc on how organizations should Implement measures to um to stop Shadow apis from being an issue and uh finally some techniques for major uh Frameworks and the demo of course so in
this talk let's set up some some ground uh rules whenever I will say the word API what I mean by that will be um a service from a microservice or a method and endpoint or um a query for a graphql or any resource that is available through uh API consumers so um like a form uh URL that that that that gets uh some information through a post request or um any API request basically so so everything I will call Api um so first of all Shadow apis uh basically there are the unidentified um sorry the official undocumented endpoints so um that basically are being exposed through a configuration issues or um some human error or a llm by mistakes and they are
still externally available through uh through the Gateway um most of the issues are with Shadow apis are that they're not part of the security review process and often lead to areas of of the organization that are not being tested against H by by the security teams zombie apis in they're similar in their uh risk that they pose and and um but they were originated from from actual working apis but they were simply forgotten so um and I've encountered a lot of those kind of of zombie apis where the developers they know about some issues but yeah they saying yeah we're going to we're going to decommission it soon or we're going to Sunset the application or yeah yeah it's
inactive but still exposed those are still issues that are posing risks to the company um basically um in if you want to categorize the this class of issues there are improper Inventory management um and by this definition um they they they leave some uh areas of of of what we call attack surface uh so the the weakness itself can be categorized as um well in the definition it say old API versions or endpoints left running unpatched that's a risk right out data documentation makes um uh some sensitive information that might be available uh through the through the those old apis um sometimes they host real data so let's say that and we'll see some examples of
that but but if we by mistake as a developer if I put out a QA with real data and I forget to uh delete it after or and it's still being exposed then then then those are real risks some outdated systems will be a risk because they host some vulnerabilities um and there are many cwes that can be considered um as part of this weakness but that depends on on the the the the business logic or how it's being implemented so okay uh one
second so uh anyone's familiar with the Resident Evil the the the movie and games right I see I see some heads right so um let's dive into this this fictional company of Umbrella Corporation and let's see some of the developers tasks and um the actions that they took to perform the task and what was the result uh you can you can imagine this Corporation as having having uh um multiple services that um Expo been Expo are exposed through several servers API gateways right going through firewalls and everything just this this pretty standard right you don't have to go into the details just understand that they might have many services that are being exposed and some of them should not be
exposed um so so this is Matt he's a senior developer right he was tasked with uh upgrading uh the API spec from version one to version two uh while while he was implementing those some new features in version two he left the old version one end points active so he was trying to make sure that the transition was smooth uh the old version one apis were never properly decommissioned leading to Shadow apis so the version one um was still accessible with many vulnerabilities in it that that like I mentioned before could also happen uh on subdomains and basically any resource that resource that it is still exposed okay so let's go to Alice she's a full stack engineer H she uh
integrates a third party debugging tool to troubleshoot some issue with her stack uh the tool registered some additional endpoints um with the framework API router so because it needed that to operate for example like a Swagger UI or um health checks right and um she forgot about it and um they were left those end points were left exposed in production and that that's that's a major example of Shadow API um James here he was uh working on U exposing some of the an points in his API and he was using U um um a dependency for his for for typescript right an npm package um to expose those those uh endpoints the package itself became
outdated he forgot about it did not update did not do an npm audit or whatever and um those end points were left accessible in production so the the even code that we don't see even code that we took from other developers might expose those kind of um Shadow apis right and um you know it's a general idea a good idea to check with snake advisor when you're installing external dependencies um so uh this is rain she's a junal developer um she was tasked with configuring the API router uh to to make sure that the API itself would handle uh some some end points she was she used a wild card pattern so I'm not sure it's
probably too small I'm sorry about that H but uh she defined a path with wild card meaning that anything that's um inputed into this body parameter would pass through to the um service so so um some end points that might occupy the same path uh route basically would also be exposed so this is a misconfiguration um yeah so I I'll Rush a bit because I'm I'm I'm bit a bit out of time here uh so um so so Spence here should have took the time and decommission some apis but he basically forgot because he was rushing to push to deployment and um here's an example uh by by kapan of of deploying a some sort
of Gateway that Bridges between Downstream services and um basically what what he did was he forgot to put some authentication to um to limit the access of some Downstream services that were inadvertently exposed um so yeah missing documentation is a is the major issue this this this this is what helps with um you know identifying those apis and um you you need to have someone competent enough to uh make sure that those apis are properly documented and I wanted to give an example by by an llm so the Red Queen is in the in the movie She's she's is a artificial intelligence and um in in this example she was tasked with working on a feature
she she took some time um but the branches she was working on um drifted from um the uh the branch that other developers were working on and between those some apis were between those in a diverent of of of those branches so some API I were H unintended uh unintendedly exposed right um so this is like a list a shopping list of how adversaries uh identify ER and discover apis in general so boot Force running a word list and trying everything until it works uh less than optimal but even blue team use this to identify some end points um you can you can identify domain names and the old hosts if you have a history of DNS
and that could also lead to some exposure um you can de compile some mobile applications that link to some apis uh that also give some information about it bugs error messages uh logs and uh traffic and uh some some even back Bounty Scopes might leak this okay so we we see that this is like a major a major issue and H and how we deal about how we deal with it so there's a thing called uh open API Swagger specification basically H that is supposed to be a contract between the consumer of the API and what the API um exposes and allows um we use this uh specification to have tools and integration that validate uh what endpoints we have and
um um we use this to make security scalable right so having um a detail specification of each and every API that we expose reduce the attack surface that we are not aware about and there's a thing in Swagger in in in open API called Swagger extension uh which is just a extra parameter you can add to the specification and um the recommendation is to add the uh visibility into it and validate against it in the API level and validate against it uh in the cicd right so if we know about an API that should be internal we would never add it to uh the Gateway as being exposed from external sources sources and um you can use um open API
spec with many of the asms and uh major gateways um like uh like Kong and um um there's a lot like Microsoft Google they own have their own everyone has their own tools Amazon that they ingest open API spec and basically um you know stop some access to some apis based on the specifications um the most important thing that I've encountered while dealing with this issue is is listed here basically to know what we have to have the tools to have the scripts that are running automatically and and and and identifying those in the logs in in external traffic in all of the tools that we have H open Telemetry is a major thing that can be used to identify those
um ownership of the of the of the service itself um who do we call to in the middle of the night to tell him that there's an issue right and um and actually finding this in um centralized place is really important um I'm want to speak a bit about thread modeling I don't think I have a lot of time so um basically thread modeling means that we visualize our Network we find the potential risks involved in the architecture um and in this case what can be exposed and what not and what can be exposed through various services like if a service routes the traffic back to another service they should be considered within the same level of
exposure and um I really suggest if you have if you have any interest in threat modeling uh to go to this link threat molding Manifesto there's a ton of information there there's also a contest in in uh in Vegas this week that are regarding to uh thread molding and uh yeah so also OHP is a great tool for any cheat cheet or information regarding uh web application security so in this demo I will H show um uh one technique among many to identify services for um expressjs which is a node ER package used to expose web applications um but but you can use source code analysis dependency injection code injection um framework query simply asking the the the framework with CLI
what are the endpoints are um using traffic that youve identified in any of your other tools and of course boot Force Ur always works um and um yeah for spring boot you have many options um like actuators if you're using Jersey then uh you can use the web application descriptor language that gives an XML and you can um use even Sam GP or other static analysis tools to obtain the annotations that defin them the apis and of course the actuator which is a debugging tool um and um there's there's a few examples on how to achieve this but let's move on so uh yeah in flask for example you can simply use the command flask routes and it will give
you all of the routes that are exposed even the ones that you did not Define in the code like any dependencies um yeah I see people taking pictures like at the end of the of the talk I have a QR with a a link to um to a repository with all of these tutorials like a workshop all right so you'll have everything and uh all right so let's let's move on to to H to the H demo real quick okay so I'll I'll probably skip a bit so um here we H run a nodejs application we use the npm Run start this application I've created three years ago it's it's it hosts it's a dam vulner application that hosts many
vulnerabilities and um exposes some weaknesses such as Shadow apis and which we run this application we save the debug in log you can see sorry you're not seeing the I'm really sorry how do I stop this all right okay let me start again so we are running this application um we use npm Run start to um ride application and save the logs the logs are saved into a a file inside the file it defines every instance of API registry in the register in the router sorry that registers um a method and a path and uh we use this uh log with in combination with the Swagger file um to and this is just example of
the Swagger right and uh some of its apis and and uh we use this file and a script that I've also provided to pass the logs into a a file that basically contains all of the endpoints so the list you see here is all of the end points the application actually exposes even the ones that the developer did not intend to expose in this example we will see a few uh end points and um so you take this and then you copy it to the folder uh this folder contains a spectral rule which is a tool used to lint open API specifications so it goes through each and every path of the spectral file and
it will normalize the paths to H um identify end points that basically share body parameters so let me see the let me show you the example here so the API H if you can see the delete user um user email the user email is a variable it's a it's called a path variable uh and uh basically it it can has many names both on the API specs and both on the um routes that the API registered registered and um so we normalize this and then we compare H we simply run the linter using spectral lint Swagger Json and you can see that it provided us if you can see to your to your right there with the API
that are exposed but are not registered properly so those register form and a V1 API docs and um yeah so as I mentioned all of these uh um scripts and tools are available H let me just open the last slide all of these uh apis and tools are available um through this GitHub repository and um so this is just an example but in this reposit there have many examples for like Jango flask and and more so um yeah that's it thank you very much for listening have time for about one question while we let everyone scan the QR code um any questions for me all right thank you so much right thanks everyone [Applause] [Music]
he
[Music]
[Music] [Applause]
oh [Music]
[Music] [Music]
[Applause]
[Music]
he
[Music]
[Music]
[Music]
a
[Music]
n [Music] oh [Music]
all right welcome back good afternoon this is the afternoon session for ground floor besides Las Vegas 2024 about to have a talk on who is uh and reconnaissance so uh before we get started I'd like to make a few quick announcements first I'd like to thank our sponsors especially our Diamond sponsors prism cloud and vanta and sponsors Adobe and project circuit breaker it's their support as well as other donors sponsors volunteers that make this event possible uh also reminder as always live streaming gets disrupted by cell phone noises so please put them on silent if you have not please welcome will all right thank you everyone uh so the title of talk is who is the boss uh building
your own who is data set for reconnaissance just real quickly about me I'm a senior staff security researcher at sprocket security always want to thank you know sprocket for not just the opportunity to come out uh but to get to talk about this research project was a fairly small research project over the past past year but I think it have value and I'm sort of interested how other people are approaching this problem uh I've worked in offensive security since about 2008 uh it's my second time speaking at besides Las Vegas uh the last time was 2013 though so it's been a it's been a minute uh so onto the cont content cuz I know we have 20 minutes um I think most
people in this room have probably registered a domain before uh and when you're registering a domain you're required to provide ownership contact information so that's going to be first name last name address phone number fax number uh email address I have a name Che screenshot there um and as part of that process for most modern registers you're given the option of uh applying uh redaction or privacy to what you put in there if you decline that and somebody does a who is look up on the domain they'll get back the ownership information and that's by Design if you do apply the redaction for privacy over the Privacy feature uh then if somebody does a who is look up on the
domain they'll get back redacted for privacy for the fields and then usually there's a URL that you can fill out and get access to the information depending on the registar so it's very common practice for uh to use reverse who is as part of the Recon process so for example if you go to your terminal right now type in who is bankofamerica.com you'll get back the information about Bank of America so as we said name address phone number email that sort of thing at the bottom I've sort of boxed out the domain. administrator at bankofamerica.com so for red teamers pentesters in the room I'm sure you've done it it's very common to use a data broker service to to an
API call with or to the UI as what other domains have been registered by domain. administrator at bankofamerica.com or whoever we're doing reconnaissance on and if you do that call through like waxy you'll get back about 400,000 domains and typically the process from here is you sort of filter out the domains to see what's valid in the case of this domain haxy will also do historical lookups so these could be domains that have been long gone but were at one point registered by this email address but really the idea from here is that we can pull out other domains that are owned by the company in scope so this is at least some subset of
these domains are also owned by that company so again for the red teamers I'm sure you have stories I mean I give an example in the past few months uh we do what's called continuous pen testing so it's on an assessment uh there was an apex domain provided by the customer single Apex domain did reverse who is found additional Apex domains uh within one of those so you do the full reconnaissance pipeline after that so subdomain Brew forcing Port scanning identifying Services found a Json environment file with Azure creds hard-coded by Dev Ops in this adjacent Apex domain and that gave us the foothold into the environment through this other Apex domain so pretty common
process I think many of you have done this before this is one of my favorite quotes on it uh by Jason hadock so I'm sure many of you guys know him I saw him walking around the con earlier um and that is for every new Apex domain we find we Forex our chance of hacking the Target right so we have a we have a multip multiplicative effect by finding a new Apex domain and sort of in my mind it's like it's almost like the branch of a tree right so we found one Apex domain now we find another one and that whole pipeline goes off of subdomain brute forcing Port scanning all of the things
that go along with potentially gaining access just through this additional ape domain that's found so although there's some filtering that we need to do some process that we need to go through it's so worthwhile that we end up doing it because it increases our chances of potentially getting in uh as I mentioned there are some data Brokers uh really common data Brokers there are many of them these are three examples uh haxy is super popular uh really reasonable API cost to do reverse lookups you can also do regular lookups and bulk lookups lots of tools on GitHub to automate that process if that's what you want to do uh security Trails another really popular one they're more
broadly focused on ASM but within their documentation they absolutely have reverse uh who is lookups through the API uh more expensive but excellent data and then who is XML API well I I don't use them as much um from what I understand it's more FOC more focused on like ENT or potentially malare domains but again very who is focused lots of data so that sort of lays the foundation right we've talked about uh the importance of reverse who is and now we're sort of moving more into the meat of the conversation which is which started out with the research pro project of what if we managed our own who is data set so if we were like all
right we're not necessarily going to use these data Brokers for a bit what does it sort of look like to manage our own who has data set to Aggregate and collect that data and so the rest of the talk is really Lessons Learned building out that who is Recon data set that hopefully you can take with you if you want to try it out um alerting on newly register domains which I would probably argue is the most valuable thing about managing your own who is data set and then some disadvantages that we just probably can't overcome but are worth sort of discussing clock for a second okay so uh we're building up the Recon data set for who is the first thing
we're going to do is Source a lot of domains I start with the Cisco umbrella top 1 million domains 1 million domains is not a lot of domains but what I really like about this data set is that it's it's valid it's well organized um and it's really good for like unit tests because as you build it out uh you can you can be pretty confident those domains are solid along the way I tested a lot of different free sets and I have to say this is probably by far the best it's a TB odans domains project um his goal is to have the largest set of free domains on the internet so he has 1.3 billion
domains available through GitHub right now um You can bash scripted as I did and pull out in the millions of Apex domains I'd also say what's really nice about this domain set is it's organized by TLD so if you want to focus on hbr Brazil or you want to focus on bank because you're into the banking TLD it's all organ organized and you can sort of go from there the other one which is really important and I would say the first two are like historic domains right because they depend on the last time they were updated but we have this whole kind of problem with our data set where there's like 50,000 to 400,000 domains registered every 24
hours so there's a lot of domains that are consistently being added and potentially on a continuous scale by you know one of our customers or whoever you're working with who is DS provid who is ds.com I should say provides a newly registered domain set so every 24 hours they put out a zip file inside the zip files a text with all the domains registered from the previous 24 hours so it's really helpful if you're charting domains on a daily basis um as part of this project I wrote an open source tool called who is Watcher and we're going to come back to this a couple different times but in there there's a flag D- nrd
if you put that on a cron tab it'll just every day for say once a day it'll download all the domains from the previous day so you don't even need to go to the website it'll just automatically do it for you okay so we're trying to build out our data set we have a large set of source domains now we need to begin to do who is lookups on them unfortunately we can't just do that from like a residential IP or a Home IP there's IP rate limiting by certain registar there's certain reasons why you just wouldn't want to run it from home essentially um I'll talk about three different ways to do lookups uh the
first one is is IPv6 proxying so I actually I I didn't know about this technique till about a year ago um but when you get a VPS and you enable IPv6 on it they don't just give you like one single IPv6 it's not like ipv4 they give you a range of IPv6 addresses or a net block so like digital ocean I think is like maybe 15 but if you go with a $5 Lode they'll give you a SL sl64 which according to Chad gbt is sextilion million domains um I just thousands of millions cuz I wasn't really sure it's a massive number of source IPv6 addresses that your single system can take on so black lanard security has a tool
called Trevor proxy which sets up a local socks proxy to rotate the source IPv6 so if you have that set up then any request sent through that local uh socks proxy will modify your Source IPv6 and essentially rotate it as part of the process who is Watchers support socks proxying so you can use it um with this uh it's a it's excellent tool works very well the one downside is not all registrars support IV I IPv6 so what you're going to run into is certain subset of domains just can't be looked up with IPv6 you have to fall back to ipv4 uh or another technique um all right second one who is lookups so that's IPv6 proxying uh you
can I've clocked it at about 100,000 to 200,000 domains uh per 24 hours pretty good but not the best um next would be uh art app so um there's there's been like many protocols there's a history to it who is goes back to the 1970s in a rapnet um Elizabeth finer team and she was like pivotal and that she also helped develop DNS they helped develop who is as part of rabet um originally it was sort of like a white p uh White uh Pages uh and then 2005 it was updated to uh what we sort of look at is the current who is protocol so that's on Port 43 it's unencrypted um it's human
readable not machine readable uh and around 2017 started introducing art app which is u a rest based API for who his lookups it will also return Jason this sounds amazing right like oh wow now we can just do HTTP you know rest based lookups on domains and get Jason back unfortunately uh not all registers support art app um and here's like the list of those that do and don't and again like IPv6 you end up having to fall back to a different technique to do Mass lookups probably the most effective way I've seen do to do it is through serverless Cloud so again I mentioned who is Watcher it's a small go tool you can easily deploy it into AWS Lambda um
so you can use like the AWS cdk which makes it really easy to create a function and a function URL um that was my preferred method for a long long time and then last month I don't know if anybody saw the tool Lemma did anybody has anybody heard of this tool really interesting it allows you to deploy like uh offensive tools into Lambda function URLs very very easily and helps you uh use them at scale so it's excellent tool um def Pam is the author if you want to look it up um and in there there's a script called tools install tools. sh you can add who is Watcher into it and then it'll automatically deploy into a function
URL so here's really the meat of this point I probably could have started with this full bullet point but if you're doing it through serverless Cloud 400 concurrent invocations which isn't a lot like most people's accounts allow for a thousand concurrent invocations per uh per region um but with 400 concurrent invocations you'll complete 1 million to one and a half million uh complete queries per 24 hours so it's more than enough to do newly registered domains um who Watcher will also respect IP limitations it has a built-in back off so if it detects that the registar is like hey you've made too many requests it'll back off of it and stop the request I'd also highly recommend U
someone on the team uh pointing this out you can use AWS event Bridge so if you set AWS event bridge to run every minute and do like a modify of your Lambda function so like almost doing nothing to it but just modify it then the AWS infrastructure will redeploy it and so you receive a new source IP so every minute you have a new source IP by doing a simple just modification through a vent bridge this is the command at the bottom here so um like cat domains this could be you know the past 24 hours domains piping into Lemma with 400 invocations calling who is Watcher and then saving the results so pretty pretty uh pretty
painless way to do these Mass lookups that need to be done all right so we have a set of Source domains we have a way to uh to look them up now we need sort of an application on top of that unless you just want to take the domains and analyze them um one of the best applications that I found is alerting on newly registered domains so if you're doing like red teaming continuous pen testing bug bounty hunting then as these TW these uh domains come out every 24 hours you may want to be notified that a domain created was by a customer that you were following along with so if we go back to that Bank of American example
and we have a register an email of domain. administrator Bank ofamerica we can create a yaml file and we just call I called it watch list here it has a key of email if the email contains Bank of America then I want to be alerted so we're taking that LMA function or however you've saved all the domains we set a watch list so we get notified if any of those domains are of interest and then immediately we get updated so we know hey you know something of interest just got registered within the past 24 hours let's kick off the reconnaissance process from there another big Advantage I would say um so with the data Brokers your reverse
lookups are usually uh scoped down to email company name um and actually organization so it's email and organization uh and then domain name but when we run the data when we own the pipeline we can do multip we can do reverse lookups on multiple points at once so on the left here we have Tesla they've redacted everything but they have a registering organization of DNS to Nation um and one thing I think you've probably seen if you're into reconnaissance is companies tend to use the same registar for all of their domains and it kind of makes sense right you wouldn't want to register half your domains with Route 53 with AWS and uh you know half with name chep or
something so they tend to use the same registar so we can use a combination watch list so we have our combo of domain contains Tesla and register contains their registar uh and then we'll get alerted on other domains that are they're potentials they're going to require a little bit of work but they fit into that 1% you know grouping that takes us over the line to maybe find a really impactful finding so these were two example domains like I ran through like a large data set I'm not sure if Tesla actually owns uh Tesla UNF free.com but it does match up with the name along with the registar and obviously you can combo on other points too you could do
do zip code address right you can do different ones um I can think of an assessment from the past six months where I identified a domain it had a very specific name to one of our customers and then it had a registar of AWS and that led to like it wasn't a big finding but it was like a WordPress site that had just been sort of stood up and forgotten about a little bit so the technique definitely works it has a bit of a high noise uh value as you might guess um but it's absolutely effective and especially when you have the pipeline in place I mean it's easy big disadvantages I would definitely call out um number one is the
data Brokers have historic Who records going back well over 10 years I think I saw 2007 for one of them I wasn't sure which one it was um and that's a really big Advantage because if we think of like a company like let's say we're doing Tesla and they've redacted there might be a point in the past where they didn't redact that information where that email was available and then they can cross reference on other historic emails and find other domains so data Brokers definitely have the advantage there um on the upside you know it may be a limited number of API keys that were burning in order to make calls on historic data um but the you know
overall like they do have excellent data second disadvantage I would call out is a berse build um which you know comes into play with all of this sort of stuff uh the data Brokers will sell most of this data wholesale so if you were like I want every uh historic record for 550 million domains you can buy that from um some of the Brokers that I talked about it's quite expensive but you can buy it um you can also get it as a service obviously apis or the uis uh who DS in particular if you wanted to do newly registered domains you could pay to have their service of every single day instead of just the domains I would
like all of the results from who is uh but again you'd find the pricing on the website it's not necessarily cheap um second this one I may be a wash but you do need to manage and curate your own data so as you're building this out you have to make sure uh you know have I been ipate limited on certain domains do I need to recheck them um so it's really important to sort of manage your data but again you also get a really good glimpse into how the data looks I mean I have seen from the data Brokers cases where they are IP restricted in some cases and we'll have better data in our own data set so there
is definitely high value in terms of the size of the data it can like easily fit into click house postest SQL it's not a ton um one thing I'd also call about call out about who is Watcher is rather than being like human readable it'll give you Json so you can get all of your domains in Json and then stick it in like click house and then immediately you know the columns are made out for you and you can analyze the data that way if you want so I guess in closing um couple takeaway resources this isn't online yet I'll I did I was a little sketched out by the uh the Wi-Fi so I didn't post it yet um
so it's a private repo but it'll be up tonight um and it's basically as this research has gone on just taking notes about uh um like blog posts and interesting things I've seen from who is a lot of really uh interesting work that's been done over time so it's cool to see that and I put that in there um certainly if you're into internet scale scanning I would love to talk to you like I find this stuff super fascinating and coordinating it scaling it uh thinking about it so please come talk to me I mean that's part of the bides mantra uh and then that's all I had so um I don't know if there's any questions or
uh questions from it yeah so are you picking on Bank of America because they're on the other side of the wall are they a sponsor oh my my bad no no I did not do that I I have noticed a little bit the banking domains I don't know if they have a legal requirement to expose who it excuse me who is Data but that could be part of it but yes I absolutely was picking on no um for the uh collection of uh list of domains uh I can has a uh centralized Zone data service which uh allows you to sign up and just get a Zone file for every TLD uh and it's updated daily did
you try using that as a source for domains so here's where it got a little bit off the camera but um is that a researcher required uh it's it doesn't need to be researched they they say it's available for uh research education uh um security law enforcement anybody can sign up I have an account for it and uh it they just provide you with an fdp and you can download the Zone files for every TLD uh daily and is it and so it's the newly registered domains sorry newly registered domains no it's every domain registered under the TLD it'll that's what I thought yeah it'll give you every every domain registered under the TLD uh
along with the name server I believe okay yeah cuz I looked into it a little bit and I wasn't I wasn't sure about the terms of service that's the only reason that was my hesitation but that if if every did anybody need me to repeat that uh if you want to just repeat that really quick because it's valuable what the where to sign up and get oh yeah you can go to Ian it's uh the it's called the centralized Zone data service but you can sign up there um you have to like provide information and you're right there is a terms of service I think they just say you can't use that information for commercial purposes
which is kind of fuzzy so you know you can as I guess as as long as you're not selling it I think it's probably fine but you know I'm not a lawyer so not a lawyer appreciate it thank you another know question in a similar vein uh there's also open Intel which uses um um the certificate transparency pre certificates in a log to see what certificates were issued and they provide data sets of domains that are in cctlds so domains that are not don't have the I can uh contract which forces them to publish the data and I think they also have a kefa stream of recently registered domains so it may also be very interesting to explore and for
everybody who's into this topic may be a very interesting resource cool what was the name of the resource again I'm sorry open Intel oh open Intel okay yeah yeah absolutely yeah the transparency log stuff can get super interesting as well so what percentage do you think um of your DNS lookups and stuff are you getting missed because of per se like a vendor uses um a third party hosting provider that then gets all that stuff registered underneath them but it's actually managed by that main party so how much do you feel like you are missing out by misdirection of this project was was stood up by a third-party vendor and all the DNS records are pointing towards that
thirdparty vendor instead of the main vendor that contracted that so we're talking about like a squar space or like an example of yeah um that's a really good point uh what what I like about the data is we can sort of slice and dice it a little bit more so I I my the first thing that come to mind is like two data points probably like so we're taking Squarespace plus some other piece of information maybe we can drive a little more but percentage wise I'm not sure about um not sure about how much we're missing there thanks we're on break for about an hour uh and uh we'll see you back here uh after that thanks B thank you go
[Music]
[Music]
[Music] [Music]
[Music] a [Music] [Applause] [Music]
oh
[Music]
w [Music]
[Music] [Applause] w [Music] oh
[Music] I'm just something I'm just [Music] something I'm just I'm just TR to give you something [Music] w [Music] [Applause]
[Music]
[Music] [Music] I'm just I'm just TR to [Music] something I'm just TR to something I do you I'm just trying to give you something he [Music] w
[Music] a
[Music]
[Music] [Music]
[Music]
[Music]
[Music] [Applause]
oh [Music]
[Music] [Music]
[Applause]
he
[Music] a
[Music] n
[Music]
h [Music]
[Music]
[Music] [Music]
[Music] n [Music]
[Music]
[Music] a
[Music]
[Music] [Music] [Music] [Applause] [Music]
[Music]
[Music]
[Music]
[Music] [Applause] [Music] hey hey hey he he hey [Music] [Applause] [Music] he he
[Music]
[Music]
[Music]
[Music] back [Music] hey hey hey hey [Applause] [Music]
hey hey hey hey [Music] hey e [Music]
[Music]
[Music]
[Music] [Applause] [Music]
[Music] [Applause] [Music]
[Music] he [Music] [Music]
[Music] [Applause] [Music] he
[Music]
[Music]
oh
[Music] h [Music]
[Music] w a [Applause] [Music] [Applause] [Music] [Applause] [Music] I'm just I'm just TR to give you [Music] something I'm just trying to give you something okay I do I'm just trying to give you [Music] something w [Music] [Applause]
[Music]
[Music] [Music] I'm just trying to get to I'm just TR to give you something [Music] I'm just dring I do I'm just trying to give you something [Music] w
[Music]
[Music] [Music]
[Music]
[Music]
[Music] [Applause]
oh [Music]
[Music] [Music]
[Applause]
[Music]
[Music] e [Music]
a [Music] oh [Music] n [Music]
[Music] [Music] a [Music] [Applause] [Music]
[Music] oh [Music]
[Music]
[Music] [Music]
[Music] [Applause] [Music]
[Music]
[Music]
[Music] oh [Music]
[Music] [Applause] [Music] hey hey hey [Music] [Applause] [Music] he [Music]
he
[Music] [Music]
[Music]
[Music] track [Music] back
[Music] he hey hey hey [Applause] [Music]
hey hey hey hey hey hey [Music]
[Music]
[Music]
[Music] he [Music] [Applause] [Music]
[Music] [Applause] [Music]
[Music] [Music] [Music]
[Music]
[Music] [Applause] [Music]
[Music] w w
[Music] and w [Music] a [Music] [Applause] [Music] [Applause] [Music] oh
[Music] I'm just tring to give you something okay I do you I'm just try to give you [Music] something I'm just TR to something I do I'm just TR to give something [Music] w [Music] w
[Music]
[Music] [Music] I'm just I I'm just TR to give you [Music] something I'm just try to give you [Music] something I'm just trying to give you [Music] something oh [Music] w
[Music]
[Music]
[Music] [Music]
[Music]
[Music]
[Music] [Applause]
oh [Music]
[Music] [Music]
[Applause]
[Music]
[Music]
[Music] h
la [Music] oh [Music]
[Music]
[Music] n [Music] [Music]
[Music] [Applause] [Music]
[Music]
[Music]
[Music]
[Music] [Music]
[Music] [Applause] [Music]
[Music]
[Music]
[Music] a [Music]
[Applause] [Music] he [Applause] [Music] [Applause] [Music] [Applause] [Music] ch [Music]
he a [Music]
[Music]
[Music]
[Music] track [Music] hey hey hey [Applause] [Music]
hey hey hey [Applause] [Music] he [Music]
[Music] [Applause] [Music]
[Music]
um good evening everyone hello this is uh bsides 2024 uh the ground floor sessions uh our afternoon on Tuesday uh before we get started uh I would like to thank our sponsors uh especially our Diamond sponsors prism cloud and vanta and gold sponsors Adobe and project circuit breaker uh it's their support as well as other donors sponsors and volunteers that make this event possible secondly we are streaming live the streams don't like loud phones so if your phone is not on silent please please take care of that now um with that please welcome
Angel okay so I do have a PDF you can download here of the slides minus the videos if you would like to go and follow along or have notes and links for later so so this is just something you can get I'll give you about 15 seconds uh you know and then we'll go ahead and just start on with the slides uh but yeah thank you everybody for coming to tactics of the trash Panda uh the real TTP acronym the only TTP acronym all other acronyms are garbage compared to this one um I still see phones out so I'm going to wait a little
bit cool let's get started so uh just a quick who am I I am an infos doer I'm a senior consultant at Dark Wolf Solutions I'm a 3D printer enthusiasts I've been hacking and doing crazy things uh but getting paid for it for the past six years I've been trained in multiple disciplines such as net pen appsx physical uh vulnerability research I'm a proud member of dc36 occasionally dropped by Aha and set KC I do have a disclaimer here so the following presentation will deal with security and adjacent topics concept sequentially some of the content may be of adult nature this content is handled in a professional manner by me and I hope you can handle it with respect as
an audience so if you do have any any quals against this uh please feel free to leave the room now if not you know whatever um additionally content is provided for educational use only I take no responsibility for any actions taken by the audience as a result of this let's behave ourselves and have a little of fun so let's talk about like modern physical entry and red teaming uh you have this problem of Mo tradecraft Mo Problems as you get into specialized tooling markets you start having the need to fill those markets and needing to improve on that and that either costs money or development or reduces the ambiguity you can use on site with
certain pretexts these tools become less of uh tools you can mend to your pretext and more just Red Team Tools right some other problems is your geographic location where you're performing these tests May restrict you from utilizing certain tools we know Canada has some stuff going on on proposed for a bunch of SDR stuff lockpicks are illegal in certain countries and uh per state there are different lockpicking laws I'm not an expert on the lockpicking laws you can talk to the people at the Lock beon Village for that but let's get down to some prosed solutions uh you have Batman over here which looks weird in some movies he has like money or something and he just
breaks into places that he could just buy easily right um but on the other hand you have a raccoon they look awesome they eat trash and they break into anywhere without spending a dime so how do we mimic this Behavior how do we become more resourceful today I'm going to be telling you about how to do this and I'm going to be walking through how to present yourself and advice for packing my own kit commercial tradecraft and tooling primer attempting to replicate these with our own variants and some video demos and then I can show you how to practice on your own and a kind of legal way so just a quick thing about physical evaluations they're a
great way to show the internal network isn't too hard to reach there's a lot of prep work before even scoping the place out in person and all your legality and paperwork is a pain normally you go to a consultancy that has this figured out if you're trying to get into the field and do this testing instead of going freelance um and you can't always use repeat pretext for scenarios there's always something unique about a test um so preparation mainly entails a lots of preparation uh of objectives your connections your out of office your trash schedules your text Stacks your fire code your disability measures applied to the buildings and whatnot uh your surveillance schedules your antics
Behavior continuously planning um having good luck and a lot of reading so some of this reading might be your normal fire code so NFP 80 is like an RFC but for doors and buildings kind of um there's also the ADA compliance standards and these are for uh in the US they're kind of like rfc's but for doors and buildings and a lot of modern tooling that is considered red team tooling is based on the foundations of these documents um so let's talk about getting into pretext packing an improv class goes a long way before you go out and register for some Advanced red team training or something like that you might just try your local theater and
just get the basics down in one discipline first um I have used multiple pretexts some of the more common ones are here these are by no means comprehensive I've Ed the authoritative pretext of oh I work for a help desk or I'm an IT person or I'm some sea level that hates people I don't know um or you can have mutual bonding lighting somebody's cigarette you can hold the door open or be courteous and kind right or you can be a Meek Inquisitor if you're trying to gain information you can go around and ask and say oh I'm new here and whatnot and weave your shenanigans through that way way uh but play to your strengths right these
pretexts it's never oh I was born this way so I I have infinite pretext or something like this um it's always whatever you find is good about yourself and you can strengthen that and use that to your advantage and pretext uh game is game if you get into the building like that's it right like cool so a little more about packing um prepare for multiple pretext to be used don't just have like one outfit right um have the ability to maybe even swap on site once you're outside of the hotel room and on the client site being able to change um there's lots of treasure TRS of information online from employees and um charity events and whatnot that
you can scrape that information from uh don't impersonate in ways that will make you catch a case please do be legal with this um talk to your lawyers if you have questions on this I'm not a lawyer have clothing for your archetypes and covers right if you have say a construction worker vest don't bring that [ __ ] in clean you're going to walk into a place with a nice shiny hard hat and a clean construction worker vest and oh wow yeah I've been here for 3 years work and or hard days work and no get out of here like um how I phrase these types of pretext and planning I do say an improv
class goes a long way but there's kind of a framework I have where I use props to perform my skit with punch lines as the anchors so for instance you can have a clipboard with with an RFID reader inside and you can have a coffee and a handkerchief and these can be your props right and you can say oh I want to get a clone of somebody's badge so I have to get really close to them right and let's say some scenario plays out where you're outside the building and oh God J hey could you hold this for me really quick I I got this coffee all over my shoes I spill it all I'm just cleaning up here
hold this clipboard with the RFID reader next to your chest right um things of that nature and always you know work with the flexibilities you have normally you don't have to worry about your hotel rooms being searched but um obviously with some recent happenings at resorts in the area that might be uh I need to update that slide uh talking about practicality packing uh bring just enough tooling so different go will have different loadouts you want to have raw material for lots of use cases and maximum flexibility such as wires strings and pins you want to plan for failure so if you're caught with a certain tool out how do you talk yourself out of that situation right we
don't want to have to just pull out our letter of authorization immediately and that's it that's the test right we want to kind of try to fall gracefully as we do this um practice quick deployment so as you work with your tools and specialized equipment you want to practice pulling that out putting it away very quickly so you can increase your speedrun Strat for this to say and then also check what's legal and allowed on your person in case of X event for instance in the state of Kansas you may require be required to give fingerprints if a cop catches you and you have picks on your person and you're doing some type of burglar activities right so
here's my kit and the approximate usage for it so you can see here there are a lot of familiar tools and I'll start moving over here um my most used one by far has to be these plastic shims and this like local supermarket Market Shoppers card um but I have gear ties flashlights some bump chees a little lever like a wedge thing um some shims for loing our our punch bar our um Traveler Hook some bobby pins my under the door tool and we'll get to the mods and and some of those here in a second and extra Kevlar rope and yeah just all the goodies there that aren't electronic and here's some other stuff
so there's my moded under the door tool based on davan OLS and NATO civil engineers modifications that they committed to they're under the door tools using Kevlar rope there's also the humble firefighters mini J Tool which is great I think it's a awesome placement for a double door Tool uh that you can find online and this is just made out of some cheap titanium rods you can get off of Amazon so what I don't show here is of course all the cables for the gadgets and gizmos but uh here's all your electronic stuff um I've lost numerous Leatherman multitools just because I forgot them in my carryon and TSA had to confiscate them rip right uh but yeah
for the rest of this talk we'll cover the physical entry implants and devices and your wireless evaluations so talking about your under the door tool options um not civil engineer has amazing guides comprehensive guides on your under the door tool modifications you can make for different out uh outlooks and different scenarios so you have your standard under the door tool from uh sparrow and other veners will do this you can buy that for about $40 and that's qu inch to 38 inch uh high carbon steel and it's foldable it lasts pretty long uh as long as you take care of it if you're in a pinch you can buy zinc rods from Manards and these rods do not retain the shape
well so prepare to use these for like maybe one or two uses and then throw them out uh other metals try it and share U titanium could be a proposed solution but it's really expensive u in that size so I wouldn't recommend it as a budget option so getting into your budget and low profile options you do have some NATO civil engineer recommendations of the copper tubing at quarter inch with framing wire and you can make three of these for about $30 in my local market in Midwest um these you cannot easily substitute Kevlar cord for as you could the normal under the door tool and we'll see you I here in a second um your takedown under the door
tools which is the ones that bolt together they add a little bit more thickness to it and they can be harder to fit under certain scenarios so I don't really go with that you can compensate by carrying an air wedge with you and rely on that more but it's not an option I really use in the field so looking at the the mods here's a close-up so i' I've dug this groove similar to what's recommended off YouTube right with a Dremel and I just put my kevlar cord here and I'm able to use this on crash bars and whatnot because this hooks into the door and I'm able to use the cord to push that uh for
the crash bars um and actuate that right and I have some tape up here so that it's increased friction now this is the one you can't substitute Kevlar cord for so the reason you can't do this is because this dog catcher design and this is meant to be for doors with little levers so you can slide this under the door and this is where the door is sitting and you can actuate the Handle by grabbing it kind of like animal control does for dogs right and you just pull this little cable right here and Kevlar doesn't really work for that talking about shims um so some people would buy the super micet shims from Red Team tools and other vendors
these are kind of expensive you can buy them in bulk they're just called myar stencil sheets and we'll get to the measurements that I recommend here in a second but yeah the bulk is a much better value and you can cut them however you want you get much longer material so you can be more flexible with it um Dylan's card or Supermarket card this one just happens to be a good combination of thinness and rigidity and it's free it saves you money in the longterm and like what accusations are going to follow you if you get found with a Dylan's card right like oh I want to save money on gas oh oh no like kill
me right um You can use laminated paper uh I've had buddies who have used this but it does take work and this probably means that you've lost your other tooling and you're really in a pinch so yeah uh just explore your options there so for shims I recommend 14 to 16 mil thickness for the best results your 10 mil thickness is tolerable uh but cutting these you're going to have different notches for different types of locks should you ever run into say this lock you're going to cut a notch like this and be able to close the door on it so that you push on one of these arms and then you'll be able to actuate it open as you're
closing that door back um assuming you've got the other locks handled on the door this is the normal hook that you do for your normal bezel out U style doors so you can Loy those latches properly and you can just open that door like it's nothing I did run into a couple scenarios where doors had improper latch mechanisms and Deadlock mechanisms that uh They just added one of these after we exploited it and I was like wow does that help cuz I was actually curious you know I wasn't being sarcastic at the time it does not help all you have to do is just have a long piece of material that will go through the top or the bottom of this and you
can just fold that up and put it in your wallet so that's hence buy the myar stencil sheets so you can fold those up and deploy these long mechanisms
out got a little video demo for loing here and this is all it is uh you know loing has been talked about heavily on the internet internet I'm not going to reiterate it to you but this is basically the gist of
it that deadlock plunger isn't properly actuated so we're able to just push that in and open the door no problem so talking about strings and cordage we notice in the under the door tools I had some steel examp examples and Kevlar examples uh the steel cable is coated and shielded you have to inspect this prior to every use otherwise you will really mess up your client's doors and that's not a very good look when they're piring you to do this work um we want to be respectful with our entry your rigidity increases the space taken by storing it and folding it up so it's it's harder to pack at times and it's difficult to cut
without your beef your your tools depending on the cable thickness you get your Kevlar rope is great it's more forgiving and it's easier to cut the only problem is not like nylon rope with burning it to seal the end off you have to use some type of resin or epoxy so it doesn't Fray on you U but this is great you can get 1.1 diameter U thickness and it holds about 200 pounds of force on that rope so very tough stuff seamess tape has been used before on the internet a lot uh you can use this as an under the door tool but it goes over the door technically and it actuates the lever from the top side and you just
slip that around same with 35mm film rolls that we've seen before on the internet and that stuff I didn't demo cuz it's been done so many times it's not like an original idea I mean none of this really is original ideas all right um I recommend gear ties as well buddy of mine recommended gear ties to hold your gear and fold your under the door tools and hold things together and they're amazing and I have about like two on me almost all the time so talking about wire I bring electrical wire Dupont connectors uh just for some programming over cereal for certain devices and implants and then I have alligator crimps just in case you do
need it to tap into things uh physical tooling I have 2 mm thick wire uh pliable and capable of holding its own weight so so you can get this from barbed wire or real estate signs estate sale signs and fencing wire this won't Harden very well so if you want to use this for more rigid purposes not going to go well talking about picks so your lockpicks are not always accessible in lockpick form right they come in many shapes and sizes and you want spring steel and high quality ones normally but we don't have that blessing here in this scenario we are raccoon so we are using bobby pins and windshield wipers which has been done all over the Internet
online so here's how I do it with bobby pins you get your normal bobby pins you cut the ends off right the little bulbs I recommend filing down the edges cuz you will cut yourself otherwise I've done it multiple times and then you can use it as a lockpick right um otherwise if you're going to go to a riy after a rainy day you can pick up all these beautiful uh windshield wiper internals and turn these into your lock picks and all you have to do with these These are steel or some type of Steel metal um so you can just heat these bend them quench them in water or use motor oil and they
should be good to go and that's a TENS wrench and this one I just filed with the Dremel as you can see it's very crude but they work right you can use BR wire as well this stuff is pretty good um if this is something that you can carry on your person or works with your pretext that's awesome use it it's good stuff just make sure to cut the ends off and pry all the weird silicon stuff rubbings from it um talking about keys so a one-time investment in known keys or cabinet Keys you can be the key duplicator for your entire Community you can buy one of these keep duplicating machines buy one of those rings off of eBay that's you
know $70 and just start printing out key that are the same as these these are very easy to pick up and and use you know you can learn it in about 5 minutes right um and keychain of D the Oak City Lock support uh they have their their pre-made keys that you can find online right so uh here's an example c75 1's and then bump Keys bump keys are this is a known thing uh are used to have bump attacks on locks and be able to break easy locks open right uh just by actuating as many pins as we can at the same time and trying to get that these bump Keys normally are paired with these
goat banding kits kits for faster reverberations towards the back um and yeah these are very cheap and they're used for goat banding and you can use them for these bump Keys it's amazing so here's an example of that and we'll get to kind of the science of of the bump hammers here in a sec so as you can see here here's the normal key nobody steal that bidding that's my house key um and then we have our bump key with our heavily used goat banding kit and by heavily used I mean on the bump key not goats I not going to reuse it that way that's not sanitary so as you can see here we're
just fitting it inspecting it before use because these can break very easily and we're just going to take a solid Hammer object or something and just bump the back of it while we're we're holding slight tension on that in the direction the key is supposed to go so as you can see it's not open there we'll use a screwdriver I'm just going to tap it a few times s and it opens there you it turns right oh bump key crazy stuff right it's not not too crazy right oh slight show come back um alternatively there's an energy transfer that you can mess with if you have materials that are stiffer they will make more sound on the bump Hammer
as opposed to materials that are more gelatinous um so as you can see here I have an ASAP printed phallic device and this this is something that you can use to bump the the key uh very easily and even faster than the screwdriver really um it was like midnight when I printed this and I was hot off the press and I was like I hope this works just go come on and yeah it just opens right up um so that's one example if you go on the other other the Spectrum with something more gelatinous more like a silicone um what you'll get is you'll get worse energy transfers so less reliability but you'll get a a uh much more stealthy
approach that won't make as much noise um for size recommendation if you're going the Silicon route I do recommend about 6 to seven in um you know that was a 91 that was way too much it's unreliable uh but yeah like The Sweet Spot about six six to eight you know something like that so now the question is like why would you do this like what what's what's the point of this besides it's funny right like it is funny um having a flamboyant uh device when you're doing these types of things can create a guise normally when you're talking to guards or looking at how they're trained they're trained to solve escalations in terms of
encounters but they're not trained to you know come around a building and they see a person knocking on the door um normally if you turn around with a bump Hammer that looks like this uh you know you might eat lead because this is very threatening in the middle of the night and oh that's a bump Hammer there's no way you're going to talk yourself out of that U but if you're coming around and you know you're you're you're bumping a door open security guide guard shines a light on you and you're like oh I'm sorry my boyfriend and I have seven years he works here and we broke up and I'm just going through it they're not going to know how to
respond sometimes it's it's something that allows you you're already caught you're already to the point of almost failing you can gracefully fall and have a non z% chance of getting away with it and the story this scenario is based off of the Guard simply walked away and just left they didn't report any of this they didn't call extra authorities none of that they they just left that that's just how it went down U because some people aren't trying to handle that so again um people have used vibrators and pumpkin Carvers for lockpicking guns I think this is like too much of a power requirement and it's too noisy right for the meme it's cool right but uh
usefulness it's not as useful in my opinion uh but yeah the more flamboyant the better so let's talk about keys and replication of keys U this slide I actually made the day the replicant was dropped on Covert Insurance website and uh what had happened was they were like oh $90 for this kit and we look at what the kit is and cool it's all put together and what not I can order it very quickly but 20 ooun molting clay all this metal ingots okay a crack spoon um and then some other stuff right however this wonderful individual on the internet made a 3D printed model of a similar device so all you have to do is have a buddy with a
printer or print something on your your own and use this device and you're able to replicate keys and let let's look into uh the process of getting that I recommend sculp E3 polymer clay other sculp have kind of been an issue but essentially you just want to pack this um with the clay and make sure it's rolled flat right and then what you want to do is you want to put some type of baking powder on this some type of thing to release that uh releasing agent is what it's called some people use like uh baby powder I use baking powder is what I had on hand and then you put your key let's say you obtain the key and you
need to mold it now so okay I got the key give me about like 10 seconds okay put it in take it out and you carve this little this little hole so air can escape when you're casting this key and and then once you've done that the process looks kind of like this A blank YouTube video
um I see people doing this all the time you know it's it's like a common thing uh so yeah they're big in security everybody's big in security but as you can see here I'm using very Prim tools just a small big lighter from a gas station and a spoon and then I've got the uh this was actually not Woods metal it was SOS safe which is uh slightly different but still primarily or like a third lead so be careful with these you should use gloves and like properly ventilate and all that I say as my hands are bare and this uh but as you can see there we have the cast and the cast is
held together by none other than a gear tie yeah and we get this melted once it's mostly in liquid form we you just go ahead and pour that and it fills the cast and actually this take of the video I actually messed it up so it didn't go in very much and it broke but after numerous tries after numerous tries um we got it so I essentially went from zero to key casting in less than an hour plus like a three minute video that I watched uh it was not very difficult to pick up like practice makes decent on this right so as you can see here we've got the quot unquote finished key replica and then we've got the normal
key and there's some defects with the key replica as you can see here but with wiggling it I was able to overcome this so it wasn't too bad uh mostly functional right like if I put it in it doesn't turn immediately but I just rock it back to fill up for that Gap and then should open right up and there you have your key right these keys are very very delicate remember this is about 33% uh lead so let's talk about Crash bar hooks uh The Sparrows one is bulky and rubber has to be trimmed on it um you can make your own and I recommend using titanium bars or steel bars you can get these online
realtor signs have wireframe that can be used but they can't be hardened very well so try to avoid this unless it's your last itch effort and you can try to double up on the real estate sign and make kind of two wires going along but it doesn't really work too well here's a hanger that I had in my room and it was all metal thankfully so we looked out on that speedrun Tech and that's the first two steps I reinforced it with some Kevlar Cor cord and the rest of the hanger and then some gaffer tape and this supports about 5 lbs of force on that uh hook Point whereas The Sparrows one is about 20 before it starts really
bending so it's give and take right looking at this double door J Tool The Hum humble firefighter has the instructions on how to make these properly uh but as you can see here here are the specifications uh this would go in terms of your doors it would go kind of through here and actuate the door from the the U outside right I think 3mm titanium is great shout out Rob Moore for that he recommended titanium over steel um if you will heat this you want to heat it red you want to bend it and then you want to air cool it and or sand quench it and not do the whole U water quenching oil quenching with steel you
want to do the quenching and water used motor oil um with titanium there is a spring back effect so when you bend it it's going to spring back normally so if you're going for a 90° angle you want to go a little bit more uh in terms of the bend right and you'll see the manufacturing here in a second and I think audio hopefully is pass through I don't know where I'm hearing the audio from but I can just hear it Fly oh yeah but as you can see here this is the titanium uh 3mm bars and we just heat these up I am not wearing gloves or ventilation equipment or shoes proper shoes don't replicate this uh this is
yeah so you heat a red you bend it and once it's Bend you you kind of let it sit there or you do your sand quenching right don't use wet sand um and the sand quench technique that was actually um I found that on a a fishing forum where people were talking about uh titanium wire and whatnot so let's talk about forensics tools finding your keypad touches uh you can have dust reacting to ultraviolet light and this is suspicious procuring and traveling with it's kind of like how do you how do you sell this off if TSA is going to look at you weird how do you get it past them and it doesn't even get you high
like you paid $13 and like that's the only use it has is finding fingerprints uh versus sucus based powder which honey dust pleasure driven retailers have this all the time uh it sticks to oils very easily it's available at your pleasure driven retailers and it's cornstarch baking powder powdered sugar types of Alternatives the thing is honey dust has such a small granule size it's amazing for fingerprints I have tried baking powder in the past I had tried powdered sugar in the past nothing comes close to Honey dust and and its ability to just uh stick to anything because it's so small in terms of that particle size and you can see here there are a
couple techniques that that we have but uh clean is keypad and we can see there are like no super visible fingerprints whatnot and I'm going to go ahead and just use it like a normal person would right I'm oh I'm an authorized Personnel typing in the code I know oh gosh and as you can see there there's already residual ridges um from your fingers and you can see that in the Glimpse where that or that light reflex
and if we want to abuse that we can just throw this powder at it this honey dust powder with the feather applicator that comes with the device and it stands out like crazy good right like you can see that a lot better and you want to wipe the surface a little bit you don't want to be too um tough on it right because you'll lose the fingerprints eventually uh but with the feather duster it's amazing I've actually flown with a jar of this honey dust and that feather applicator in my carry-on to numerous states and have gotten no looks from TSA I try to make eye contact anytime they're inspecting my bag I will bait them and I will look
at them they're cowards they don't look at me I'll carry two of those those bump hammers in my bag and the powder they do not turn there was one guy who was a TSA agent who just looked around frantically and I was like no I'm right here you know where I am look at me look at me um here's a technique using a highlighter a yellow highlighter um and a ultraviolet light or a black light and as you can see here I'm just drawing little x's on it little formation shapes um these are supposed to be interrupted by the fingerprints whenever people touch them so this is kind of pre-rig whereas the honey dust is investigating who touched
what buttons on there this is saying oh my Target's going to come through this door and touch these buttons let me go ahead and Prime this for use right so we've made the
x's and as you can see here we've got the x's and they stand out pretty well and we're going to go ahead and you know be our Target and we we type these things
in and you can see The Ridges just interrupt the portions of the X's um I have been told uh by co-workers that to use an non smudge or don't go for the non- smudge highlighters that are yellow I tried other colors but yellow highlighter is just the best the others just don't work as well I'm talking about door alarm bypasses so K&J mag magnetic shout out to them they're cool they have strong magnets your neodium magnets the reason this is important is because when you're trying to get magnets through crevices and through small areas you want the neodon ones because they are stronger uh there are normal magnetic paper sheets you can use but they were just never strong enough
uh to actuate what I needed them to in this device um you can also use the polarity detecting papers if you can't get one of these dipole magnet detectors um around that area so this is this is a lab environment obviously so it's like best case scenario kind of proof of concept as you can see this is a huge magnet so the process is essentially slip magnet between other magnets that's it and then once you've done that uh you can't really hear the alarm go off because of the sound set up here but um it doesn't go off and it's it's silent oh cool you you can do whatever you want now go pen test all the things
right and that's one technique you can do so talking about hid so this is a subject I'm not as strong as uh but there are a lot of cool devices on the market nowadays uh but starting out I like to use the Arduino uh Shields that came there's the low frequency and the high frequency ones you can buy and there's a lot of cool GitHub projects that do like my fair 1K classic uh cracks and whatnot you can uh Brute Force those keys or you know do a dictionary attack against known keys and this is heavily talked about think there's a chameleon Pro which is cool flipper zeros and some other devices coming out um Great Scott has an awesome
video on trying to extend the RFID range um for some of these readers and going over the math and all the cool electrical engineering stuff I'm too dumb to understand and basically just takes these eBay ones and is able to extend that range a little more by adding some capacitors here um changing the circuit right um if you do buy these large coils that are meant for longer range reading you do have to have pre-made Keys normally for them um as you can see that's like a low frequency one but you would have to set it up properly so it negotiates with the car um the uh handshake so talking about disguises uh Goodwill is drip Goodwill
is awesome uh not as a company but like what you can buy there some swag can be ordered so your Walmart vest you might see these go on sale on eBay before Black Friday I'm not going to go into that uh what I use recently is uh zinc printer it's a type of paper where you'll see people have this Polaroid type setup it's a small battery power device that that fits in your hand and you're able to use these pre-formatted sheets of paper to print pictures and so here's the printer and I say oh okay you know like let me open like Snapchat editor or something and make my fake uh little little picture and this is the
one I made for another presentation at a community college and as you can see here this just prints out in a matter of minutes and you can just put it on any card now upon really close inspection you can notice oh it's not the exact same size of the card but you can fill it in by printing a blank sheet of paper and filling it in ETC changing things if you do have these sizes where you have lanyard and whatnot and your pretext says oh I've been here a while then run those into the ground don't make them look new right you don't want to look like you just got back from the Kinkos right um so yeah wear them down Sharpie
is good as well talking about implants your usb hid implants uh rubber duckies are cool but like have you ever felt bad for leaving one at a site like a $50 dongle or $75 dongle you're going to lose that because your Powershell payload had to run really these are $1 uh if all you need is hid emulation uh then you can just run these and then leave them oh okay cool I don't care I left that at our customer site they can burn that they can do whatever they want it was only a dollar there is previous research on the weed Suite the weed Elite Suite um I suggest you go check that out but if you will use a Raspberry
Pi 0w you can have the pon pie aloa kit which uh back in the day used to be a really cool kit that had like air gap P passes and all this hid mass storage emulation could do whole bunch of cool stuff um when you do that wiring I wire it up so that these uh four connectors are all on the same us USB port and it's actually at a right angle some people buy the adapter so it's your pi and then the weird USB port and it's a really long thing but for a certain use case I bent it 90° and needed it so I could go up to a help desk talk to the help desk
person they're using an all-in one I'm talking to them their all-in one is right here I plug it in and it fits nicely because of that 90° angle um and then I leave and give my shell Etc you can also use Logitech dongles these are about $7 each and if you set these up you can use a GitHub project to uh go ahead and just set up communications for keystroke injection for these hid implants talking about your network monitoring Network Taps Raspberry Pi is got expensive right um so using posive monitoring I like the orange piie series as long as they support rbn so you're not downloading some weird image off of GitHub um you want to spoof Mac usually
as printers or or uh yeah Mac devices or voes uh those are great devices to spoof now do be warn if you run into network access controls Etc or you you have some type of authentication you might have to change this it's not context aware right but you can add buttons as well so for GPI open pins you can add buttons to say okay start monitoring start capturing packs okay now xill out okay now do this um so they're great little platforms and they're half the price of raspberry pies most of the time and you know you have some like here's some just lazy xfill methods right you can DNS tunnel you can use like engro Cloud flare whatever to
prove the point right um You can purchase your LTE hats to do out of band stuff whatever your powerless Taps are error prone so if you do a passive tap right that is going to drop a lot of packets and it's also going to downgrade the connection to 100 BX based on how it works don't ask me how it works it's just I'm not an electrical engineer I don't do that stuff um but no idea if you'll fry something if you get like an ethernet port or Poe Etc um I've done it with Poe and it's worked fine but you know mixed mileage right so um as you can see there on my arm that was at one
point worth like over $500 uh when the Raspberry Pi Spike started going up so yeah that's a that's a flex um if you're going for active Taps for gigabit connection monitoring Etc you can buy these these wire shark Taps that are like $230 and they look like a tap um or you can use what they might already own in their Network closet and just duplicate the port or mirror the ports or mirror for ports or do whatever you want
Related talks
51:51
32:48
33:48
54:33
31:06
20:51